I’ve finally got my NS7 to connect to NS8 for migration, so now I can actually think about when and how I’d migrate :).
I have some fundamental questions about NS8, like: what should I expect to see inside?
I appreciate how simple the cluster-admin interface is for NS8, but I feel like it’s not enough to run my new server. NS7 gives lots of information in the UI, like detailed network information, including DNS, DHCP, services, etc. I don’t see any of this in NS8.
I’ve also seen comments that NS8 will not feature a full firewall.
It’s starting to feel like NS8 is meant to be a standalone application server that sits within more infrastructure that includes its own firewall and network configuration, as opposed to being “the central server” which is how NS7 seems to operate. Is this true?
This post is literally me asking what I should expect
If the answer is “All those features will come later”, that’s great! If the answer is “We’re shifting direction of the product and you shouldn’t expect those” well, that’s great for the Neth team but not so great for me
Almost everything on NS7 will come to NS8, in one form or another.
The Firewall will be a separate module: NethSecurity (AFAIK).
I’m one of those who almost NEVER uses NethServer as Firewall (Only a single cloud instance), all others have a dedicated OPNsense box as frewall.
If I’m doing any major maintenence on theserver, I still insist on having internet access for my Notebook or whatever!
What certainly NOT be possible is eg running exactly the same versions as on NS7, eg MySQL5 is past!
Newer MariaDB versions will be supported of course, and it will be easier in future to run different versions of a software at the same time.
Hi @Andy_Wismer - thanks, it is helpful. I’m OK with it being a separate module, as long as I can choose to install it :).
My setups are very small, so a single server works really well for me; I plan to continue to use the firewall.
Unfortunately I have a lot of self-built docker containers on NS7 that relies on more features in NS7 than are available in NS8 beta. It’ll probably be well after RC’s that I’m migrating to NS8 - just wanted to know what to expect!
I think we have to be patient. After all, the developers are not magicians. Even if it seems that way to me from time to time. I for one have never used the firewall in Nethserver because I am a fan of separate hardware in this case. For my part, I am sure that at the end of the road we will find most of the features now available in NS 7 also in NS 8. They may be different to handle (operate), but that should not harm the love for Nethserver.
I believe NethSecurity is a separate project that would run on a separate system, whether virtual or physical.
NS7 is much more integrated into the underlying OS than is NS8. With NS8, you’re at the mercy of whatever tools the underlying OS (either Debian 12 or your preferred EL clone) provides to configure the network, and nothing in the cluster-admin page addresses that–or system software updates, or rebooting/shutting down the system, or…
As to services, NS8 instead gives “applications”, and shows their status. Each individual application has one or more containers, and you can see the status of those with the respective application. Nothing provides a granular breakdown of individual services, but I don’t really see why such a thing would be necessary for the most part.
I sure do hope that the new NethSecurity Firewall can handle DNS correctly, especially CNAMES and PTR records.
NS7 only allows CNAMES for itself, but not for other hosts.
This means that a second A record needs to be used.
That alone already means that the PTR record will be screwed up, it won’t be the primary FQDN of the host, but usually an intended CNAME, used as an A record that will be shown (simply because it was entered in last (last in, first out?)…
This makes for crappy statistics, but also for really tedius troubleshooting, if trying to find a networking problem…
If i am not wrong OpenWRT uses DNSmasq for their DNS, so basically, whats supported by DNSMasq qould be whats supported, am not sure if that would handle a full fledge DNS server, but it would handle DNS resolving.
For DNS server full fledged, that would be handled by NEthserver, with if i am not mistaken a DNS module (TEchnitium/powerDNS)
DNSmask can handle both CNAMEs and PTRs correctly - only NS7 did not have an option for editing or creating CNAME entries, forcing users to use A records…
Both OpenWRT and NS7 use DNSmask as main DNS, but both also have Unbound on board, which I think is even better…
Technitium(?) is a toy, for a Home User enthusiast, it has too many issues to be used professionally.
PowerDNS is a professional DNS Server.
But:
Any Server running AD in any form should NEVER be a public DNS!
Split Brain DNS is possible, but in this specific situation more a secrity headache than an advantage.
My 2 cents
Andy
PS:
I’m fairly familiar with OpenWRT, as I use it regularily. Often with the latest builds, and not only using OpenWRT as a WiFi AP!
It’s currently not exposed in our NethSecurity UI: AFAIK nobody else requested it.
Still, if you make such changes from the command line, they will preserved!
Kindly Note that, many solutions being used on the internet today both huge and small at one point began as a hobbyist project and others as one man show, but through the support of community and a large organisation, they eneded up becoming mainstream and extremely large projects with advanced features functions, and a proper milestone.
WHy does Cpanel have its onw interface for DNS management, WHy is NEthserver implementing its own Interface around OpenWRT and its own features.
Overall none of the Opensource solutions would be 100% feature complete but with a little nudge, they could become larger.
In My View BIND DNS is a better DNS solution, but it lack severely in interface, but it resolves the fastest works the best and is more resilient, while powerdns, has a better interface. it depends sometimes with which is easier to work with, which requires the least effort, and what would offer better ROI.
BIND DNS is the official reference project for DNS and is referenced in the relevant RFCs and is still one of the most used DNS servers powering the Internet.
BIND is quite easy to manage if eg using Webmin, by Jamie Cameroon, now a Google employee due to Webmin and his know-how!
PowerDNS is very powerful, has all dns records in a highly available Database (MariaDB?), and is distributed. BIND is not distributed, but uses the master / slave option to provide more redundancy.
Both have their Pros and Cons, both are available as open source projects, and both are Top as DNS servers.
Although both projects “could” be used eg as a DMS for text based small documents, both are rather unusable for stuff other than DNS resolving, which is what they were programmed for.
I have to say, I also hope I read that wrong. If I have to take on extra scope of managing a firewall on a separate machine (even if it’s very compatible with NethServer) that would be a no go for me.
NethServer 7 currently does very well as a standalone server for personal and SMB uses, even if the applications available are a bit limited. I’ve been taking on the complexity of deploying my own containers for applications because everything else works well, or well enough.
If Neth8 does this split, you will have a new container-based server trying to compete with established offerings like CloudRon or CasaOs, as well as a new firewall server trying to compete with established firewalls - but it sounds like it’s being based on OpenWRT so that should help.
I really hope I’m misunderstanding something, I’ve enjoyed NethServer for a while now.
