apnscp 3.1 development thread

With 3.0 out the door it’s time to begin discussing 3.1 and the feature requests accumulated since beginning work on taking apnscp public.

My proposed order is:

  • IPv6 support
  • 2FA for panel access. Not all services have a means to use 2FA, so the panel would temporarily whitelist an IP that in turn would allow login to other services. Downside is if you have an IP address that moves, it’s a good way to get yourself accidentally banned.
  • SSH key management
  • TimescaleDB, logging of storage/bandwidth quota.
  • haproxy, enables SNI support for Dovecot/Postfix
  • PHP-FPM. There’s diminishing marginal return on high density servers. For example open_basedir is a must to prevent traversal elsewhere. These iteratively perform lstat() syscalls all the way back to root to make sure the path is within the directory. It also disables realpath cache. OPCache is one way to reduce this (cached lookups bypass open_basedir resolution), but even with a 6 GB cache it quickly fills up with 500 domains falling back to its uncached behavior.
  • Block support. Freeze an account, perform an online migration to the new storage block, unfreeze account. Allow accounts to use storage attachments.
  • NextCloud 1-click support

Now’s an excellent time to make any suggestions or hold your peace until 3.2 is released later this year. I’ll have more information on switching over to the experimental master-31 branch at a later date. For now I would recommend against switching if you’re on edge builds.

1 Like

Excited with IPv6 and the 1-click support of ownCloud, I’m currently using nextcloud and I’m curious what advantages does ownCloud have over with nextcloud?

ownCloud is based solely upon feedback from a user. I don’t have sufficient experience with either to give enough criticism; that’s for when I begin implementing. A quick Google confirms though NextCloud is the way to go over ownCloud, if not for performance then at least app availability.

Unless there’s compelling feedback from the person who recommended ownCloud (waiting on that) or someone else I’ll scratch ownCloud for NextCloud. Thanks for the insight :slight_smile:

1 Like

Updated external issue tracker.

Enrollment in 3.1 now available!

For those intrepid users on edge releases who would like to help test 3.1 early, here’s a simple trick to begin running experimental 3.1 code:

cd /usr/local/apnscp
cpcmd config:set apnscp.update-policy edge
git fetch origin
git checkout --track -b master-31 origin/master-31
# Run 3.0-to-3.1, which is a separate set of mandatory 3.1 migrations
cd resources/playbooks
ansible-playbook 3.0-to-3.1.yml
# Run Bootstrapper to update platform configuration
upcp -b

To confirm you’re on 3.1, use git branch:

cd /usr/local/apnscp
git branch
# reports "* master-31" indicating it's on 3.1 branch
cpcmd -o yaml misc:cp-version
# reports 
# revision: <LONG COMMIT STRING>
# timestamp: 1562687637
# ver_maj: 3
# ver_min: 0
# ver_patch: 39
# ver_pre: 50-g<SHORT COMMIT>
# dirty: false

Nightly updates will pull from the active branch, master-31 in this case. To switch back to apnscp 3.0 at any time just run git checkout master ,

cd /usr/local/apnscp
git checkout master
# Reset platform to 3.0
upcp -b

apnscp update policy must be in edge . To put apnscp in edge mode, run cpcmd config_set apnscp.update-policy edge . Failure to do so will revert to the last official 3.0 release.

haproxy + NextCloud coming soon to a 3.1 branch near you!

Let’s discuss some new features in 3.1. I’ll continue posting features as they’re delivered through the pipeline to organize things. Also, CLI supports : between module and method name as well as - instead of _ for easier usage.

Instead of misc_cp_version, this variation is used misc:cp-version. It’s easier to read as well as type.

IMAP/POP3/SMTP SNI

haproxy is now used for SNI termination for mail (IMAP/POP3/SMTP). Migrate SSL certificates using cpcmd email:merge-ssl will merge all configured SSL certificates (LE and non-LE certificates) into the mail server. You can now use domain.com instead of the server name for mail. SNI is only applicable over SSL/TLS (465/993/995), not STARTTLS (587/143/110).

Running a single haproxy in front of these services also provides a gatekeeper to rate-limit abusive clients in the future.

Role variable enumeration

config_get apnscp.bootstrapper now supports role enumeration. For example, to get variables from mail/rspamd, use cpcmd config:get apnscp.bootstrapper mail/rspamd. Overrides from apnscp-vars-runtime.yml will be merged into this value.

cpcmd output formats

The above command is rather verbose. Let’s fix it. cpcmd -o yaml config:get apnscp.bootstrapper mail/rspamd. Now it’s in Yaml format! The following output formats are now supported:

  • yaml
  • json
  • var_dump
  • cli
  • print (old format)

Mainline kernel, CoDel queuing, BBR congestion protocol

Gross curiosity really, apnscp supports running 4.x mainline kernel from ELRepo. cpcmd config:set apnscp.bootstrapper prefer_experimental_kernel true followed by upcp -sb system/kernel. Reboot the machine to bring up 4.x long-term kernel. Note this kernel is not maintained by RedHat and may have bugs.

CoDel is enabled for all servers and a low risk option to reduce network latency.

If you’re running mainline kernel (cpcmd config:set apnscp.bootstrapper custom_kernel_rpm kernel-ml) then BBR is also available to increase throughput without relying on the traditional push/pullback sawtooth algorithm. You can apply these networking tweaks as part of the sysctl role, upcp -sb system/sysctl.

BBR will only be applied if present in the kernel. It’s not present in CentOS/RHEL7, so you’ll need to use a custom kernel or install ELRepo’s mainline kernel. To view available congestion control algorithms:

cat /proc/sys/net/ipv4/tcp_available_congestion_control

CloudFlare DNS servers

New installs automatically change DNS to CloudFlare. Based upon feedback that I’ve received so far, most of your DNS servers suck :cowboy_hat_face:. DNSPerf survey results crown CF with the lowest average latency and one of the highest reliability rates. Enable it if you have an old install with cpcmd config:set apnscp.bootstrapper use_robust_dns true ; upcp -sb common/update-config