Test migration for a client running NS7

Andy_Wismer · November 18, 2023, 7:52am

NethServer Version: 7.9.2009
Module: NS8 Migration

Hi

Doing a test migration for a client running NS7.
NS8 is based on Debian12, all updates installed according to instructions in NS8 Admin Doku.
NS8 shows no issuse when sarted or Cluster created.
Local DNS is set correctly for both hosts, running both as VMs on a powerful HP server.
NS7 and NS8 are both allocated 8 cores, about 200 / 300 GB sized disks (Ample!) and have 16 GB RAM each (No RAM Balooning!). VirtIO is used for NICs and Disk.
All systems are either NVME based.

As migratable Apps are shown:

Nextcloud
File Server
AD

This is correct, as we do not use mail here, and other Apps like Zabbix are so far - not migratable (yet).

The start of migration works well. Sync also.
Finishing the migration ends at about 33% (shown on NS8).

NS8 diisplays an authentification error:

Task Trace: (copied from NS8):

{"context":{"action":"import-module","data":{"credentials":{"0":"nextcloud1","1":"9644c2400cbe-0d92-4d48-8638-cf262ce6e67c"},"port":20012,"volumes":{"0":"nextcloud-app-data"}},"extra":{"description":"ns8-action endpoint http://10.95.20.1:9311","isNotificationHidden":false,"title":"module/nextcloud1/import-module"},"id":"7253e28a-ff4f-480d-b362-a18ce1940029","parent":"","queue":"module/nextcloud1/tasks","timestamp":"2023-11-18T07:28:23.927272198Z","user":"admin"},"status":"validation-failed","progress":0,"subTasks":[],"validated":false,"result":{"error":"","exit_code":2,"file":"task/module/nextcloud1/7253e28a-ff4f-480d-b362-a18ce1940029","output":[{"error":"module_already_imported","field":"none","parameter":"none","value":""}]}}

NS7 ends migration with a red error message. After refreshing the page, this is shown again:

Re-Synching of data seems to start without issues, but shows a validation error on NS8.

If the command is pasted into a console, it will show a auth error, like on NS8.

Reconnecting the NS7 App to NS8 works using IP or FQDN (Internal only, at the moment).

On NS8, this is still shown:

After cleanly rebooting both hosts, I get this on NS7:

NS8 does show an external LDAP (The NS7 AD…), but calling it AD ?
It does correctly show users from NS7 AD…

Additional Info:
The Target NS8 is using a different Domain as the source server. The AD is intended to stay the same, but the domain should be changed.
The admin / root passwords on both servers are identical.

Load during migration is very low, ca 20% CPU, load stays below 4 on the host.

What could be causing this?
Nextcloud as such is used here, but not heavily used.

My 2 cents - and questions!
Andy

PS:
None of the above is mission critical. All hosts are VMs on Proxmox.
All are backed up to PBS and to NAS before migration testing.
I also have a clean backup of Debian, ready to start anew with installation of NS8.

All the above is intended to help our Devs iron out small bugs like this!

I was sucessful in migrating another NS7 to NS8, also including a Nextcloud instance.

LayLow · November 18, 2023, 10:31am

Yeah!

oneitonitram · November 18, 2023, 1:13pm

Did this other instance that was successful have AD on it, that was to be migrated as well, or was it just Nextcloud

Andy_Wismer · November 18, 2023, 5:48pm

Hi

The one which worked also uses AD, Nextcloud.
I must use AD, LDAP doesn’t work for me - no Shares!

My 2 cents
Andy

davidep · November 21, 2023, 5:12pm

Hi Andy, thanks for testing the migration procedure

~~The migration procedure is not really robust. If one side looses connectivity, reboots, or services are restarted it is an unhandled error. This must be improved, certainly.~~

“External LDAP” indicates both a remote LDAP server, no matter what its schema is (AD or RFC2307).

A temporary external LDAP is configured in NS8, pointing to NS7 account provider. Connections to LDAP are routed through the VPN (there is a routing maybe-bug if the servers are in the same LAN).

As stated in NethServer 7 migration — NS8 documentation, the last migration step is the account provider data migration, which finally replaces the “external LDAP” configuration. NS7 is left with no account provider, it can be configured to join NS8 if it is in the same LAN.

Good to know!

Andy_Wismer · November 21, 2023, 6:50pm

@davidep

Thanks for confirming a few questions I had / assumed…

A few more specific to Samba / AD:

In NS7, the AD had to use a seperate IP. In NS8, it uses the same IP, if running on the master node, else it uses the IP of the node it is installed on?

Is there any option eg to install PHPLDAPadmin to administer the AD (As NS7 had?) ?
→ Containerization makes this a mite more difficult…

Is there any option / method / how-to to enable SSL for the AD / LDAP (As NS7 had?) ?
→ Containerization makes this a mite more difficult…

How would samba enhancements like Netlogon Folder / Share, roving profiles, etc be added / enabled (As NS7 had?) ?
→ Containerization makes this a mite more difficult…

How to set complete permissions on subfolders in a samba share? At the moment, clients can do as set (by permissions) only on the top level. any subfolder level, not even a domain admin can access / move / delete files or folders. Something BIG is not working here!

For a Beta, the migration is better than I expected, but far from as seamless as migrating an iPhone to another iPhone eg via Backup!

I assume the Samba component acting as AD also acts as AD-DNS (An AD DNS is a must for any AD…), even though NS8 does not contain / run DNS services (not planned - this is for NethSecurity, I understand). But is this so?

Is there an option to install fail2ban instead of CroudSec? Fail2ban can work in environments without any Internet, in some cases there’s not even a gateway defined in the network. I do not trust something like CroudSec to work correctly in such an isolated environment. On top of all this, CroudSec has no advantages to offer in such a scenario. It’s cumulated lists of contaminated IPs? I have a single, isolated LAN and only those limited IPs can access this host via IP.

A lot of questions, let’s have some answers fo the docs!

But my comendations to all in the Dev team: Great Work!
Let’s iron out the reamining wrinkles as best as possible!

My 2 cents
Andy

davidep · November 21, 2023, 6:51pm

I forgot we already implemented some connection recovery functions: if nodes are rebooted the sync state is resumed.

However I got the same message, but it was a false alarm: after refreshing ns7 migration tool page it disappeared

To fix that bug we need to know the steps that reproduce it.

My test environment today is:

ns7 in DO fra1 datacenter 2 vCPU 2 GB RAM / 60 GB disk, Active Directory, Nextcloud, File Server
ns8 in DO ams3 datacenter 2 vCPU 2 GB RAM / 60 GB disk, RockyLinux NS8 RC1

davidep · November 21, 2023, 7:10pm

Well this should be clearly explained here

If not, please refer to what is missing, or not clear in any way

Our next community webinar covers this point. In NS7 you’d follow a CentOS 7 howto, in NS8 you’d follow instructions for Docker. Do not miss it!

I can only say it is possible, with some commands, like for NS7. But sorry I never tried it, I can’t say how to do it in NS8.

NS8 has a full DC instance running: all those features should work similarly. There are Shares, Netlogon folder and user home directories, already enabled AFAIK.

The Samba module UI can reset ACLs recursively, please refer to File server — NS8 documentation

I guess there is some permission issue in your installation. Is it from a migration? Did you try with a new installation too?

DNS is explained here: User domains — NS8 documentation

Today I added this sentence:

The domain controller inherits the node DNS settings in /etc/resolv.conf for name resolution request forwarding.

I hope Crowdsec can run with no connection too. IIRC during configuration you choose if join its community ban list or not …but let’s ask @stephdl to be sure!

Thank you, we’re doing our best!

Andy_Wismer · November 21, 2023, 7:14pm

No, I also assume that this is a migration issue.
AFAIK, on a new install I did not have these issues.

Great!

Thanks, I’ll read in detail the documents you linked to, and if I have further questions, I’ll come back…

My 2 cents
Andy

stephdl · November 21, 2023, 7:17pm

Crowdsec needs internet to install it but after it is like fail2ban we read and parse logs. I must admit I do not understand the issue because a server gets a connectivity if you want to install modules or to serve informations to clients.

Btw yes fail2ban can be installed/configured but no plan right now as official module I bet

Andy_Wismer · November 21, 2023, 7:24pm

If needed to install, a connection will be provided.
Clients are in the same room (usually).

→ Think school class for special stuff, like AutoCAD class including Plotter & File Server…

“Clients” bring their Notebooks to work or use one of the existing 4 workstation in that special case.
The workstations are locked down, and imaged for any case. But the notebooks? And students of a certain age group, like 16-26? Some get bored in class, and play around…

Andy_Wismer · November 21, 2023, 7:26pm

@davidep

I think I clicked the “Solution” button by mistake, and now can’t remove it myself.
Can you help, or do we maybe need @dnutan ?

→ Solved !!! (Browser does caching…)

LayLow · November 21, 2023, 7:48pm

That trick works all the time!

Andy_Wismer · November 21, 2023, 7:52pm

except when the browser uses a “Pop under” to display it urgently needs a restart because of updates in the background… Wasted an hour with that 2 weeks ago…

… sh*t happens!

Andy_Wismer · November 21, 2023, 8:01pm

I did try this out, but did not work. Even if I added a new folder manually, as domain admin, I had no permission in subfolders. Locally, and on a NAS I had the correct permissions, but not in a migrated AD folder on samba… (This I could verify for all shares).

Actually both are well explained - but ONLY for new installations.
Not a word about migrated installations, where NS7 used a separate IP for the AD.

Maybe add a short sentence as to migrated AD / LDAP…

My 2 cents
Andy

davidep · November 22, 2023, 11:04am

If it fails also in a new installation, please run this test to see if it is a permission issue, or a client/nework issue.

First of all, get a shell on the DC node. Assuming your Samba instance is samba1, run this command to get as shell in the DC container:

runagent -m samba1 podman exec -ti samba-dc bash -l

Then you can run smbclient, and do some connection and upload tests. For instance

smbclient -U first.user%Nethesis,1234 //127.0.0.1/share2

Inside the container you have all the usual Samba DC stuff, like samba-tool, net conf, smbclient, smbcacls…

Right, more documentation is coming! I added Samba DC section here NethServer 7 migration — NS8 documentation (see PR#42).

What do you think? Does it clear the doubts?

Andy_Wismer · November 22, 2023, 11:55am

Hi @davidep

Doubts? Sounds like an interesting concept, I must look more into this…

Not really, I have a NethServer Dev Team… And I trust they will carry on their excellent work and we’ll be finished on time and then some. Who knows, by the time NS7 / Centos7 goes EOL next june, we might already be running NS8.1 !!!

Will test as soon as I have Time / access to my test zone…
→ Feedback coming…

My 2 cents
Andy