Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following:
- provide VPN back to the main office - provide basic masquerading of hosts on inside network - be small enough to fit on a shelf. Preferably fanless - web-based administration - ssh access
We're experienced admins, so a simple interface isn't specifically necessary, but desired.
It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.
Thanks, Alex
Intel sells boxes they call NUCs. I'm running fedora on one at home seems to work fine (as a media PC). Asus makes similar sized bookshelf systems. A lot of them come with Windows forced down your throat, I got a NUC without memory or disk and added my own.
Lookup mini PC on amazon for a vast selection.
I'd think centos would be better for a server-like system since it has a longer lifespan, fedora goes out of date really fast.
Raspberry PI
On Tue, Jan 8, 2019 at 12:44 PM Tom Horsley horsley1953@gmail.com wrote:
Intel sells boxes they call NUCs. I'm running fedora on one at home seems to work fine (as a media PC). Asus makes similar sized bookshelf systems. A lot of them come with Windows forced down your throat, I got a NUC without memory or disk and added my own.
Lookup mini PC on amazon for a vast selection.
I'd think centos would be better for a server-like system since it has a longer lifespan, fedora goes out of date really fast. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Once upon a time, Tom Horsley horsley1953@gmail.com said:
Intel sells boxes they call NUCs.
NUC only has one ethernet port built-in, although newer models also have a Thunderbolt port, which should drive a decent speed network.
A strike against the NUC is that Intel basically requires Windows from some types of firmware updates. BIOS can be updated from a function key, but the HDMI port (on the NUC7 anyway) is internall a DisplayPort interface run through an active DP->HDMI adapter. Upgrading the firmware on that adapter can only be done in Windows. IIRC the Thunderbolt firmware can also only be upgraded in Windows (and both of those upgrades have been necessary to get systems working).
Also, I have a NUC7 (1.5 years old) on RMA right now - made a BIOS setting change to disable SecureBoot and enable legacy-style boot, and it killed the box... not too impressed with that.
Once upon a time, Terry Polzin foxec208@gmail.com said:
Raspberry PI
PIs make terrible routers since the only NIC is on the USB2 bus (and so would any additional NIC).
I don't get the fascination with PIs - they're cheap, but they are not a good solution to a great many things people try to use them for.
On Tue, 8 Jan 2019 at 12:10, Alex mysqlstudent@gmail.com wrote:
Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following:
- provide VPN back to the main office
- provide basic masquerading of hosts on inside network
- be small enough to fit on a shelf. Preferably fanless
- web-based administration
- ssh access
Have a look at https://www.pcengines.ch/apu2.htm These offer 2 or 3 ethernet ports, small form factor, and fanless. Fedora is not a good choice for this role unless you are willing to devote time and effort to testing new versions as they appear. In that case you would want a couple systems so each new release could be tested before going into serivice. Pcengines has centos7 images for apu systems.
We're experienced admins, so a simple interface isn't specifically necessary, but desired.
It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.
Avoid USB NIC's. Have a look at pfSense https://www.pfsense.org/getting-started/
On 1/8/19 11:15 AM, Chris Adams wrote:
Once upon a time, Tom Horsley horsley1953@gmail.com said:
Intel sells boxes they call NUCs.
NUC only has one ethernet port built-in, although newer models also have a Thunderbolt port, which should drive a decent speed network.
The servers I run usually only have 1 Ethernet port. I use a managed switch with vlan support to provide as many ports as I need.
I know you asked for Fedora, but a standard, low cost router, running OpenWRT, https://openwrt.org/, would likely be better for the tasks you mention. OpenWRT is a minimal Linux system with the ability to install extra packages. It has a simple to use WEB admin system and can do all the things you mention.
I use cheap (£20 second hand on ebay) TP-Link TL-WDR3600 v1 routers and OpenWRT 18.06 at work and home. This particular router has 5 x 1Gbit Ethernet ports, Wifi (2.4 and 5GHz), 2 USB ports and has efficient use of power. Can connect to cable/FTTP/FTTC "modems" if needed etc. There are many other hardware platforms that would work with OpenWRT but this one works well and has a good amount of FLASH/RAM.
Terry
On 08/01/2019 16:09, Alex wrote:
Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following:
- provide VPN back to the main office
- provide basic masquerading of hosts on inside network
- be small enough to fit on a shelf. Preferably fanless
- web-based administration
- ssh access
We're experienced admins, so a simple interface isn't specifically necessary, but desired.
It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.
Thanks, Alex _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On Wednesday, January 9, 2019 3:14:25 AM EST Terry Barnaby wrote:
I know you asked for Fedora, but a standard, low cost router, running OpenWRT, https://openwrt.org/, would likely be better for the tasks you mention. OpenWRT is a minimal Linux system with the ability to install extra packages. It has a simple to use WEB admin system and can do all the things you mention.
I cannot think of any reason not to use ones distro of choice as their gateway and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora- freedom) for my router and VPN. OpenWRT is not inherently better than Fedora, and there are many benefits of using Fedora over OpenWRT.
On 09/01/2019 08:19, John Harris wrote:
On Wednesday, January 9, 2019 3:14:25 AM EST Terry Barnaby wrote:
I know you asked for Fedora, but a standard, low cost router, running OpenWRT, https://openwrt.org/, would likely be better for the tasks you mention. OpenWRT is a minimal Linux system with the ability to install extra packages. It has a simple to use WEB admin system and can do all the things you mention.
I cannot think of any reason not to use ones distro of choice as their gateway and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora- freedom) for my router and VPN. OpenWRT is not inherently better than Fedora, and there are many benefits of using Fedora over OpenWRT.
I agree there are pros in using a system you know and use on as many things as possible. I use Fedora on multiple servers, workstation, webservers, backup servers etc. However there are a few cons in use Fedora for such tasks, my particular cons for this task are:
1. Fedora is big and bloated for small/low powered hardware that can be used for this task and low energy usage is important in my opinion for 24/7 systems.
2. Fedora is complex for such a task.
3. Fedora hasn't a simple web interface to manage the particular functionality that a simple router like device needs.
4. Fedora's aggressive new "feature" release cycle is painful for such low level infrastructure.
5. Other Linux systems have been designed to easily install on small router like hardware easily and be easily used. As long as it is OpenSource and Linux most of someone's knowledge of Fedora will be applicable.
Terry
On Wednesday, January 9, 2019 4:33:25 AM EST Terry Barnaby wrote:
- Fedora is big and bloated for small/low powered hardware that can be
used for this task and low energy usage is important in my opinion for 24/7 systems.
I've successfully run Fedora (certainly not the images published, but still Fedora) on embedded devices without issue. Additionally, using Fedora doesn't inherently make your system use more energy than it otherwise would.
- Fedora is complex for such a task.
Not really. It's more complex, because of your point 3, but not by a lot. It also has a lot of flexibility in comparison to things like OpenWRT.
- Fedora hasn't a simple web interface to manage the particular
functionality that a simple router like device needs.
Sure.
- Fedora's aggressive new "feature" release cycle is painful for such
low level infrastructure.
Nope. Fedora has releases about every 6 months. This means your systems will just about always have the latest and greatest stable code.
- Other Linux systems have been designed to easily install on small
router like hardware easily and be easily used. As long as it is OpenSource and Linux most of someone's knowledge of Fedora will be applicable.
Fedora, as with many other GNU/Linux systems, is a general purpose operating system. As I said earlier, you can certainly install it on embedded devices such as routers. I'd be careful doing so, however, and look into the peripherals and their support in mainline before doing so. It is possible that you'll have to run Fedora from a custom kernel.
Little of ones knowledge of Fedora is really relevant to Linux.
Hello,
On Wed, 09 Jan 2019 07:37:53 -0500 John Harris johnmh@splentity.com wrote:
[snip]
- Fedora's aggressive new "feature" release cycle is painful for such
low level infrastructure.
Nope. Fedora has releases about every 6 months. This means your systems will just about always have the latest and greatest stable code.
[snip]
True, but you may also fail at upgrading (see the users ML) and it means possibly fail every 6 months ;-). You cannot be serious in recommending Fedora for a server in production, just because it has up-to-date software without mentioning that it would bring fresh fixes, yes, but also fresh bugs. And that's not what I'd recommend to handle a server in production, unless you are both the user and the admin and it's your own home/office and your responsibility only involves you and no real cost if something goes wrong. Or, unless your hardware requires kernel (and more) support that is only found in Fedora, which is another important detail (for instance, you might fail w/ CentOS7 or Redhat7 on fresh hardware).
Regards,
On Wednesday, January 9, 2019 7:48:24 AM EST wwp wrote:
True, but you may also fail at upgrading (see the users ML) and it means possibly fail every 6 months ;-). You cannot be serious in recommending Fedora for a server in production, just because it has up-to-date software without mentioning that it would bring fresh fixes, yes, but also fresh bugs. And that's not what I'd recommend to handle a server in production, unless you are both the user and the admin and it's your own home/office and your responsibility only involves you and no real cost if something goes wrong. Or, unless your hardware requires kernel (and more) support that is only found in Fedora, which is another important detail (for instance, you might fail w/ CentOS7 or Redhat7 on fresh hardware).
I would definitely suggest Fedora for production servers, but this is another conversation entirely. I'd be happy to discuss this with you in a separate thread.
Once upon a time, Samuel Sieb samuel@sieb.net said:
On 1/8/19 11:15 AM, Chris Adams wrote:
Once upon a time, Tom Horsley horsley1953@gmail.com said:
Intel sells boxes they call NUCs.
NUC only has one ethernet port built-in, although newer models also have a Thunderbolt port, which should drive a decent speed network.
The servers I run usually only have 1 Ethernet port. I use a managed switch with vlan support to provide as many ports as I need.
That's fine for servers, but would add significant cost and additional management and bandwidth overhead for a router. I have gigabit Internet service; hairpinning all the traffic through a single port turns a full-duplex service into half-duplex.
Once upon a time, John Harris johnmh@splentity.com said:
I cannot think of any reason not to use ones distro of choice as their gateway and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora- freedom) for my router and VPN. OpenWRT is not inherently better than Fedora, and there are many benefits of using Fedora over OpenWRT.
It's the difference between using a multitool and a purpose-built tool. Sure, your Leatherman or Gerber can strip wires and screw in a switch, but a good pair of wire strippers and assorted size screwdrivers will usually be more convenient (and quicker) to use.
OpenWrt is a light-weight system designed for router setups. It has an integrated web UI (for those that want it) that can configure and monitor traffic, and all configuration normally needed is in a small set of config files in one directory and in a common format (makes management much easier for occasional edits).
There are things that OpenWrt does easily that Fedora doesn't do at all; for example, the web UI on OpenWrt includes real-time traffic graphs. I don't know of anything that can provide that in Fedora.
Also, OpenWrt uses much less resources than any general-purpose OS install, so costs less.
On Wednesday, January 9, 2019 9:05:56 AM EST Chris Adams wrote:
It's the difference between using a multitool and a purpose-built tool. Sure, your Leatherman or Gerber can strip wires and screw in a switch, but a good pair of wire strippers and assorted size screwdrivers will usually be more convenient (and quicker) to use.
I cannot think of a more dishonest comparison. A multitool cannot be easily reconfigured to meet a given purpose. A multitool could not be made to be as ergonomic and efficient of a screwdriver as a real screwdriver, for example. With Fedora, you can configure the system to be anything you could ever need.
OpenWrt is a light-weight system designed for router setups. It has an integrated web UI (for those that want it) that can configure and monitor traffic, and all configuration normally needed is in a small set of config files in one directory and in a common format (makes management much easier for occasional edits).
Sure, and if you're alright with throwing up something in a system you're unfamiliar with, or you don't have time to properly manage yet another system, maybe it's a good idea.
There are things that OpenWrt does easily that Fedora doesn't do at all; for example, the web UI on OpenWrt includes real-time traffic graphs. I don't know of anything that can provide that in Fedora.
There are several packages that you could install to show you real-time statistics of your system's network interfaces (including virtual interfaces). Cockpit is one which the Fedora Server folks put in their default image.
Also, OpenWrt uses much less resources than any general-purpose OS install, so costs less.
This isn't necessarily true. It would depend heavily on what you install, and how you configure it. Out of box? Sure.
On 08.01.2019 17:09, Alex wrote:
Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following:
- provide VPN back to the main office
- provide basic masquerading of hosts on inside network
- be small enough to fit on a shelf. Preferably fanless
- web-based administration
- ssh access
We're experienced admins, so a simple interface isn't specifically necessary, but desired.
It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.
I had been using https://www.ipfire.org/ in a past and later switched to pfSense so I would really recommend IPFire if you want to have full control on firewall on low level and simple decent setup/conf interface as well.
Look up Jetway devices. They're small, fanless, and don't use a lot of power.
On 1/8/19 11:09 AM, Alex wrote:
Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following:
- provide VPN back to the main office
- provide basic masquerading of hosts on inside network
- be small enough to fit on a shelf. Preferably fanless
- web-based administration
- ssh access
We're experienced admins, so a simple interface isn't specifically necessary, but desired.
It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.
Thanks, Alex _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 1/9/19 12:19 AM, John Harris wrote:
On Wednesday, January 9, 2019 3:14:25 AM EST Terry Barnaby wrote:
I know you asked for Fedora, but a standard, low cost router, running OpenWRT, https://openwrt.org/, would likely be better for the tasks you mention. OpenWRT is a minimal Linux system with the ability to install extra packages. It has a simple to use WEB admin system and can do all the things you mention.
I cannot think of any reason not to use ones distro of choice as their gateway and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora- freedom) for my router and VPN. OpenWRT is not inherently better than Fedora, and there are many benefits of using Fedora over OpenWRT.
I use Fedora for desktops, laptops, and servers in various places, but in this case, Fedora is not suitable to run on a wifi router. In a lot of cases, there is only 8MB of flash to store the OS, or if you're really lucky or willing to pay a lot more, you can get twice that.
I second the suggestion of using such a device. It's quiet, low power, and easy config. I have considered, but haven't got around to trying to setup openvpn on one yet, so that's an unknown. You could find a cheap, openwrt supported router from a second-hand store to test out before buying a better one.
On Wednesday, January 9, 2019 2:36:53 PM EST Samuel Sieb wrote:
I use Fedora for desktops, laptops, and servers in various places, but in this case, Fedora is not suitable to run on a wifi router. In a lot of cases, there is only 8MB of flash to store the OS, or if you're really lucky or willing to pay a lot more, you can get twice that.
While I'm not suggesting the use of Fedora on a stock residential router, most of these routers also have a USB port.
I second the suggestion of using such a device. It's quiet, low power, and easy config. I have considered, but haven't got around to trying to setup openvpn on one yet, so that's an unknown. You could find a cheap, openwrt supported router from a second-hand store to test out before buying a better one.
I'd highly suggest using Wireguard rather than OpenVPN. I got around to switching my personal systems the other day, and the benefits are immediately noticeable. I can push gigabit over my home VPN. :)
On 1/9/19 11:51 AM, John Harris wrote:
On Wednesday, January 9, 2019 2:36:53 PM EST Samuel Sieb wrote:
I use Fedora for desktops, laptops, and servers in various places, but in this case, Fedora is not suitable to run on a wifi router. In a lot of cases, there is only 8MB of flash to store the OS, or if you're really lucky or willing to pay a lot more, you can get twice that.
While I'm not suggesting the use of Fedora on a stock residential router, most of these routers also have a USB port.
If you're suggesting to run Fedora off a USB port, then remember that they also usually only have max 32MB of RAM as well. :-)
I second the suggestion of using such a device. It's quiet, low power, and easy config. I have considered, but haven't got around to trying to setup openvpn on one yet, so that's an unknown. You could find a cheap, openwrt supported router from a second-hand store to test out before buying a better one.
I'd highly suggest using Wireguard rather than OpenVPN. I got around to switching my personal systems the other day, and the benefits are immediately noticeable. I can push gigabit over my home VPN. :)
I have been running openvpn for many years and my VPN network is widespread. I only heard about Wireguard recently, but it's something I should look into.
On Wednesday, January 9, 2019 3:01:33 PM EST Samuel Sieb wrote:
If you're suggesting to run Fedora off a USB port, then remember that they also usually only have max 32MB of RAM as well. :-)
32-64 MiB, but that's fine. More than enough. You just can't use one of the standard images.
On 08/01/2019 17:52, George N. White III wrote:
On Tue, 8 Jan 2019 at 12:10, Alex <mysqlstudent@gmail.com mailto:mysqlstudent@gmail.com> wrote:
Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following: - provide VPN back to the main office - provide basic masquerading of hosts on inside network - be small enough to fit on a shelf. Preferably fanless - web-based administration - ssh accessHave a look at https://www.pcengines.ch/apu2.htm%C2%A0 These offer 2 or 3 ethernet ports, small form factor, and fanless. Fedora is not a good choice for this role unless you are willing to devote time and effort to testing new versions as they appear. In that case you would want a couple systems so each new release could be tested before going into serivice. Pcengines has centos7 images for apu systems.
We're experienced admins, so a simple interface isn't specifically necessary, but desired. It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.Avoid USB NIC's. Have a look at pfSense
https://www.pfsense.org/getting-started/
George N. White III
Working on this as well.
I have looked at pfSense and I am also looking at OPNsense
I have a friend that uses pfsense for a small network at a resort and does remote admin when required. For wireless he uses dedicated access points. IPFire looks interesting but it looks like it wants to be more than a firewall/gateway.
The one point my friend mentions is using seperate network ports for the various vlans and combine at the firewall. He prefers this method for his network.
I would look at a fanless solution as well. We have had some Intel based units that have been major problems with heat. Needed to be in cool rooms all the time. Cannot remember the name though.
pfSense has a list of recommended hardware for throughput bandwidth.
http://pfsensesetup.com/pfsense-hardware-requirements/
It is interesting to read.
Have fun.
On 1/9/19 7:20 PM, Robin Laing wrote:
On 08/01/2019 17:52, George N. White III wrote:
On Tue, 8 Jan 2019 at 12:10, Alex <mysqlstudent@gmail.com mailto:mysqlstudent@gmail.com> wrote:
Hi, I need a gateway for our new office. I'd like it to run Fedora. What are my options? I'd like to be able to do the following:
- provide VPN back to the main office - provide basic masquerading of hosts on inside network - be small enough to fit on a shelf. Preferably fanless - web-based administration - ssh access
Have a look at https://www.pcengines.ch/apu2.htm%C2%A0 These offer 2 or 3 ethernet ports, small form factor, and fanless. Fedora is not a good choice for this role unless you are willing to devote time and effort to testing new versions as they appear. In that case you would want a couple systems so each new release could be tested before going into serivice. Pcengines has centos7 images for apu systems.
We're experienced admins, so a simple interface isn't specifically necessary, but desired.
It's only for a few remote office workers, so it doesn't have to be particularly powerful, but should be responsive enough to support regular ssh and VPN activity.
Avoid USB NIC's. Have a look at pfSense https://www.pfsense.org/getting-started/ -- George N. White III
Working on this as well.
I have looked at pfSense and I am also looking at OPNsense
I have a friend that uses pfsense for a small network at a resort and does remote admin when required. For wireless he uses dedicated access points. IPFire looks interesting but it looks like it wants to be more than a firewall/gateway.
The one point my friend mentions is using seperate network ports for the various vlans and combine at the firewall. He prefers this method for his network.
I would look at a fanless solution as well. We have had some Intel based units that have been major problems with heat. Needed to be in cool rooms all the time. Cannot remember the name though.
pfSense has a list of recommended hardware for throughput bandwidth.
http://pfsensesetup.com/pfsense-hardware-requirements/
It is interesting to read.
Have fun.
If I may offer my $0.02, Fedora on production systems is not a great idea. We manage well over 2000 servers each in two data centers. The vast majority (>85%) are CentOS-based because of its relative stability. The remainder are generally Ubuntu LTS-based, again because of its relative stability.
Fedora changes every 6 months--sometimes in major ways that are not necessarily backwards compatible with existing systems. It is very cumbersome to update 3000+ servers every 6 months and deal with the compatibility issues that crop up. We have to deal with those when CentOS or Ubuntu gets a major upgrade (such as CentOS6 -> CentOS7), but that happens every couple of years and is far more manageable. As far as security is concerned, any significant security patches are generally backported to CentOS and Ubuntu and applied when they come out. The few cases where a patch can't be applied, well, those are fairly rare and dealt with as what they are...exceptions to the general rule.
At the network level, our VPNs and core routers are Cisco, our edge switches are Foundry. We have two 10Gbps uplinks to the Internet so smaller hardware is not an option. Fortunately, I'm well versed in these beasties as Cisco IOS isn't a particularly intuitive system.
For a router/VPN gateway in a SOHO environment (even some medium-sized cases), I'd go along with those who recommended using OpenWRT on inexpensive router hardware. It is Linux-based and optimized for use on such devices. It is relatively easy to manage via its web-based GUI and does its job quite well. Fedora or any full-up Linux system, is (IMHO) overkill in such cases.
Having said all that, do what you wish. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - There are only 10 kinds of people in the world -- those who - - understand binary and those who don't - ----------------------------------------------------------------------
On Thursday, January 10, 2019 1:16:11 PM EST Rick Stevens wrote:
If I may offer my $0.02, Fedora on production systems is not a great idea. We manage well over 2000 servers each in two data centers. The vast majority (>85%) are CentOS-based because of its relative stability. The remainder are generally Ubuntu LTS-based, again because of its relative stability.
Fedora is great for production systems. I think it's wild that people keep saying otherwise, and they consistently list CentOS as being the better option. The only major difference is that Fedora has more frequent updates. That does not make it unstable, for sure. Fedora is always in a stable condition at release.
Fedora changes every 6 months--sometimes in major ways that are not necessarily backwards compatible with existing systems.
Oh, never mind, there it is. You never meant stable, you meant "It updates too often for me to figure out how to manage."
It is very cumbersome to update 3000+ servers every 6 months and deal with the compatibility issues that crop up. We have to deal with those when CentOS or Ubuntu gets a major upgrade (such as CentOS6 -> CentOS7), but that happens every couple of years and is far more manageable. As far as security is concerned, any significant security patches are generally backported to CentOS and Ubuntu and applied when they come out. The few cases where a patch can't be applied, well, those are fairly rare and dealt with as what they are...exceptions to the general rule.
Not at all. This is, in fact, why we have deterministic tools to manage systems. I personally manage well over 1.5k production servers, and a few hundred on-premises servers, all running the latest release of Fedora, with the exception being that I run them with Freed-ora-freedom.
At the network level, our VPNs and core routers are Cisco, our edge switches are Foundry. We have two 10Gbps uplinks to the Internet so smaller hardware is not an option. Fortunately, I'm well versed in these beasties as Cisco IOS isn't a particularly intuitive system.
This is common, and I personally believe that we need to fix this.
For a router/VPN gateway in a SOHO environment (even some medium-sized cases), I'd go along with those who recommended using OpenWRT on inexpensive router hardware. It is Linux-based and optimized for use on such devices. It is relatively easy to manage via its web-based GUI and does its job quite well. Fedora or any full-up Linux system, is (IMHO) overkill in such cases.
A complete Fedora installation would be an excellent, incredibly flexible router.
On Thu, 10 Jan 2019 13:43:11 -0500 John Harris wrote:
Fedora is always in a stable condition at release.
I can't count the number of times moving to the next fedora release has broken stuff requiring me to fall back on the old version till things get fixed. Every fedora new release always comes with a "known bugs" web page that everyone complains doesn't include their bug :-).
I use fedora, not for its great stability, but because our software needs to run on redhat and centos and fedora gives me an early warning of things that will be broken when they show up in the next centos release so I can already have work arounds or bug fixes in place by then.
On 1/10/19 10:43 AM, John Harris wrote:
On Thursday, January 10, 2019 1:16:11 PM EST Rick Stevens wrote:
If I may offer my $0.02, Fedora on production systems is not a great idea. We manage well over 2000 servers each in two data centers. The vast majority (>85%) are CentOS-based because of its relative stability. The remainder are generally Ubuntu LTS-based, again because of its relative stability.
Fedora is great for production systems. I think it's wild that people keep saying otherwise, and they consistently list CentOS as being the better option. The only major difference is that Fedora has more frequent updates. That does not make it unstable, for sure. Fedora is always in a stable condition at release.
It's compatibility with _existing_ software that's in question here. Is Fedora stable? Well, most of the time. Not always. Upgrades sometimes screw the boot environment or corrupt the initrd or any of may other issues. Kernel changes (even minor ones) can wreak havoc with some software.
When clients are dependent on the systems remaining up, you have to give them something that doesn't change constantly or at the very least stays in the same "family". If it's just YOUR stuff, then fine, have at it. I'm the one that gets poked with pointy sticks if a client's software isn't compatible with new OSes and it's not pleasant.
Fedora changes every 6 months--sometimes in major ways that are not necessarily backwards compatible with existing systems.
Oh, never mind, there it is. You never meant stable, you meant "It updates too often for me to figure out how to manage."
You're being silly. There are MANY cases where existing software simply will not farking work on newer OSes due to lack of backwards compatibility, structure changes, default parameters, whatever. When F26 abandoned webkit1, a lot of user-level web stuff broke. The switch from PHP3 to PHP4/5 caused grief. Switching from Java 7 to Java 8 broke many things. Python changes have always been painful. When the kernel went from 3 to 4, a HUGE amount of lower-level things broke (some hardware was no longer supported, drivers couldn't be compiled, etc., etc.).
Even minor upgrades can cause massive grief. Look at the issues that occurred when OpenSSH devalued certain ciphers so suddenly you couldn't log into certain devices that used those ciphers without buggering your openssh.conf file or re-enabling the ciphers on the command line.
It is very cumbersome to update 3000+ servers every 6 months and deal with the compatibility issues that crop up. We have to deal with those when CentOS or Ubuntu gets a major upgrade (such as CentOS6 -> CentOS7), but that happens every couple of years and is far more manageable. As far as security is concerned, any significant security patches are generally backported to CentOS and Ubuntu and applied when they come out. The few cases where a patch can't be applied, well, those are fairly rare and dealt with as what they are...exceptions to the general rule.
Not at all. This is, in fact, why we have deterministic tools to manage systems. I personally manage well over 1.5k production servers, and a few hundred on-premises servers, all running the latest release of Fedora, with the exception being that I run them with Freed-ora-freedom.
Again, if they're running YOUR code and programs, you have much more freedom. The vast majority of us aren't in the same position. I must supply platforms that support existing code and programs that neither we nor our customers wrote and that just flat aren't compatible with newer OSes. I've been in this game >40 years. I know of which I'm speaking.
On top of that, if what you're saying is true then Red Hat should adopt every single Fedora release as the latest RHEL. Using your criteria, F29 should be Red Hat 8. It's stable, why not? F30 should become Red Hat 9 by the same reasoning. So, why does Red Hat wait for major changes to Fedora to accumulate and stabilize for a year or two before adopting it? Because they, as I, have to support old stuff and they know (as I do) that it's not feasible to do so.
How well do your non-upgraded Windows 7 apps run on Windows 10, eh?
At the network level, our VPNs and core routers are Cisco, our edge switches are Foundry. We have two 10Gbps uplinks to the Internet so smaller hardware is not an option. Fortunately, I'm well versed in these beasties as Cisco IOS isn't a particularly intuitive system.
This is common, and I personally believe that we need to fix this.
Then talk to Cisco. I can pretty much guarantee it's not going to happen. IOS does what it does well and they offer CSE status if you're willing to pay for the training and testing process. I'm not a CSE, just a poor bloke who was handed the network keys and was told to "keep it running." Any certification I have is via UHK (the University of Hard Knocks), from which I've graduated summa cum laude.
For a router/VPN gateway in a SOHO environment (even some medium-sized cases), I'd go along with those who recommended using OpenWRT on inexpensive router hardware. It is Linux-based and optimized for use on such devices. It is relatively easy to manage via its web-based GUI and does its job quite well. Fedora or any full-up Linux system, is (IMHO) overkill in such cases.
A complete Fedora installation would be an excellent, incredibly flexible router.
I agree, but it's massive overkill for what the OP wanted and the hardware is going to be oversized and expensive. OpenWRT on an Asus (or similar) router with five gigabit NICs will serve the needs for 100 normal business users or so in an office and it'd cost <$150 USD.
Ok, I'm getting off my soapbox now. Yaaaaaaaaa-hhhhhhh! (thump!) Ow! ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - "Swap memory error: You lose your mind" - ----------------------------------------------------------------------
On Thursday, January 10, 2019 1:59:56 PM EST Tom Horsley wrote:
On Thu, 10 Jan 2019 13:43:11 -0500 John Harris wrote:
Fedora is always in a stable condition at release.
I can't count the number of times moving to the next fedora release has broken stuff requiring me to fall back on the old version till things get fixed. Every fedora new release always comes with a "known bugs" web page that everyone complains doesn't include their bug :-).
There will always be bugs. Using an older version is not really a fix.
I use fedora, not for its great stability, but because our software needs to run on redhat and centos and fedora gives me an early warning of things that will be broken when they show up in the next centos release so I can already have work arounds or bug fixes in place by then.
That's a great idea. I do something similar, but I've always got everything close to the bleeding edge. My personal devices run rawhide or branched, everything else runs the latest release.
On Thursday, January 10, 2019 2:45:39 PM EST Rick Stevens wrote:
It's compatibility with _existing_ software that's in question here. Is Fedora stable? Well, most of the time. Not always. Upgrades sometimes screw the boot environment or corrupt the initrd or any of may other issues. Kernel changes (even minor ones) can wreak havoc with some software.
When you refer to "compatibility", do you mean ABI breakage? ABI breakage is a good thing.
As far as boot environment changes, this is one issue I can't say I've ever had, and I use dracut in literally very conceivable way over the course of hundreds of systems, with combinations of custom kernels, Fedora kernel and Linux-libre from the Freed-ora project.
When clients are dependent on the systems remaining up, you have to give them something that doesn't change constantly or at the very least stays in the same "family". If it's just YOUR stuff, then fine, have at it. I'm the one that gets poked with pointy sticks if a client's software isn't compatible with new OSes and it's not pleasant.
I completely agree. So you give them Fedora, and don't change to a different distro when an update comes around.
You're being silly. There are MANY cases where existing software simply will not farking work on newer OSes due to lack of backwards compatibility, structure changes, default parameters, whatever. When F26 abandoned webkit1, a lot of user-level web stuff broke.
Yep. And we moved on.
The switch from PHP3 to PHP4/5 caused grief.
Hold on for the move to PHP7.
Switching from Java 7 to Java 8 broke many things.
Sure, but there's a simple fix for this. Install OpenJDK 7 and run with that directly, or even change the default on your systems to OpenJDK 7, using `alternatives`.
Python changes have always been painful.
I wish I could say "I wouldn't know", but clients complain about it a lot. I've had to teach several people how to use python3, which, unfortunately, meant learning Python.
When the kernel went from 3 to 4, a HUGE amount of lower-level things broke (some hardware was no longer supported, drivers couldn't be compiled, etc., etc.).
It was silly for hardware to be dropped, but I don't know what you mean when you say "drivers couldn't be compiled".
Even minor upgrades can cause massive grief. Look at the issues that occurred when OpenSSH devalued certain ciphers so suddenly you couldn't log into certain devices that used those ciphers without buggering your openssh.conf file or re-enabling the ciphers on the command line.
This one is mind blowing. I cannot believe you're actually suggesting that you'd rather have insecure systems than upgrade to more secure ciphers.
Again, if they're running YOUR code and programs, you have much more freedom. The vast majority of us aren't in the same position. I must supply platforms that support existing code and programs that neither we nor our customers wrote and that just flat aren't compatible with newer OSes. I've been in this game >40 years. I know of which I'm speaking.
This attitude is precisely why there aren't as many Windows servers as there are GNU/Linux servers.
On top of that, if what you're saying is true then Red Hat should adopt every single Fedora release as the latest RHEL. Using your criteria, F29 should be Red Hat 8. It's stable, why not? F30 should become Red Hat 9 by the same reasoning. So, why does Red Hat wait for major changes to Fedora to accumulate and stabilize for a year or two before adopting it? Because they, as I, have to support old stuff and they know (as I do) that it's not feasible to do so.
Red Hat thrives on supporting legacy code, exactly what you suggest you're doing, but in a different context. They provide exactly what is necessary by way of updates, but not much else. RHEL is so far behind, it's not even funny.
How well do your non-upgraded Windows 7 apps run on Windows 10, eh?
I wouldn't know, I don't run Windows on anything, but considering Microsoft's big thing has always been legacy support, and they proudly boast that you can run 27 year old code without recompiling, I'd imagine fairly well.
Then talk to Cisco. I can pretty much guarantee it's not going to happen. IOS does what it does well and they offer CSE status if you're willing to pay for the training and testing process. I'm not a CSE, just a poor bloke who was handed the network keys and was told to "keep it running." Any certification I have is via UHK (the University of Hard Knocks), from which I've graduated summa cum laude.
No, the solution has nothing to do with Cisco. We need to move away from their proprietary hardware, and towards libre solutions such as running our own router software on our on boxes. For example, my home network is a 10G network run from a GA-G41M-ES2L board running coreboot + Fedora with Freed-ora- freedom. Certifications are meaningless. We have access to the internet, anyone that actually tries to solve a problem has the resources to do so.
On Fri, Jan 11, 2019 at 3:06 AM John Harris johnmh@splentity.com wrote:
Sorry, one decision for a firewall on low cost hardware with features should definitely be OPNSense
On 1/10/19 5:37 PM, Outback Dingo wrote:
On Fri, Jan 11, 2019 at 3:06 AM John Harris johnmh@splentity.com wrote:
Sorry, one decision for a firewall on low cost hardware with features should definitely be OPNSense
I guess it depends the definition of "low cost hardware" and what the OP really wants to do. OPNSense, at a minimum, requires:
Single core x86-32 or x86-64 CPU 4GB mass storage 512MB RAM Adequate PCI slots to support the NICs required.
Recommended hardware is:
Multi-core x86-32 or x86-64 CPU 120GB mass storage 4GB RAM Adequate PCI slots to support the NICs required.
and they claim it can do 750Mbps+ throughput with the recommended hardware config. OPNSense offers more features than OpenWRT (it is a customized FreeBSD implementation after all). That being said, OpenWRT only requires a $150 wireless router for hardware and is stripped down to do just what a router/firewall/VPN is expected to do and not much else. If that's what the OP wants, then that's _my_ recommendation and it's at a lower cost than a minimum hardware OPNSense platform.
Your mileage may vary. Batteries not included. Some assembly required. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - I'm afraid my karma just ran over your dogma - ----------------------------------------------------------------------
Rick Stevens wrote:
Fedora changes every 6 months--sometimes in major ways that are not necessarily backwards compatible with existing systems.
John Harris sent:
Oh, never mind, there it is. You never meant stable, you meant "It updates too often for me to figure out how to manage."
Stable has more than one meaning. Here's just two:
It's stable if it keeps running, and doesn't crash.
It's stable if it the way it works doesn't keep changing. This isn't just how you interface with the thing, it's also how other software interfaces with each other.
On Wed, 9 Jan 2019 at 00:52, Samuel Sieb samuel@sieb.net wrote:
On 1/8/19 4:52 PM, George N. White III wrote:
Avoid USB NIC's. Have a look at pfSense
What is wrong with USB network devices? The USB3 ones can even do Gigabit and they work well.
A router/firewall has to process lots od small packets where latency is more of an issue than raw transfer rates. USB3 is much better than USB2, but there are still extra function calls and you are relying on the quality of the USB3 drivers as well as the ethernet driver. Most reviews of USB3 ethernet devices only consider a desktop role, so may not reflect suitability for router/firewall service.
[...]
-
Alex -
Chris Adams -
George N. White III -
John Harris -
Michael Watters -
Oleg Cherkasov -
Outback Dingo -
Rick Stevens -
Robin Laing -
Samuel Sieb -
Terry Barnaby -
Terry Polzin -
Tim -
Tom Horsley -
wwp