I’ve only ever used desktop Linux and don’t have server admin experience (unless you count hosting Minecraft servers on my personal machine lol). Currently using Artix and Void for my desktop computers as I’ve grown fond of runit.
I’m going to get a VPS for some personal projects and am at the point of deciding what distro I want to use. While I imagine that systemd is generally the best for servers due to the far more widespread support (therefore it’s better for the stability needs of a server), I have a somewhat high threat model compared to most people so I was wondering if maybe I should use something like runit instead which is much smaller and less vulnerable. Security needs are also the reason why I’m leaning away from using something like Debian, because how outdated the packages are would likely leave me open to vulnerabilities. Correct me if I’m misunderstanding any of that though.
Other than that I’m not sure what considerations there are to make for my server distro. Maybe a more mainstream distro would be more likely to have the software in its repos that I need to host my various projects. On the other hand, I don’t have any experience with, say, Fedora, and it’d probably be a lot easier for me to stick to something I know.
In terms of what I want to do with the VPS, it’ll be more general-purpose and hosting a few different projects. Currently thinking of hosting a Matrix instance, a Mastodon instance, a NextCloud instance, an SMTP server, and a light website, but I’m sure I’ll want to stick more miscellaneous stuff on there too.
So what distro do you use for your server hosting? What things should I consider when picking a distro?
I love Debian for servers. Super stable. No surprises. It just works. And millions of other people use it as well in case I need to look something up.
And even when I’m lazy and don’t update to the latest release oldstable will be supported for years and years.
@bjoern_tantau @communism That ‘support for years and years’ means security support. So even if the nominal versions stay stable, security fixes are backported. Security scans that only check versions usually give false positives: they think fixes in newer versions are not present when in fact they are.
Many others distros do exactly the same. I only chose Debian because the amount of software already packaged in the distro itself is bigger than any other, barring 3rd party repos.
Debian
This is the way.
Add unattended-upgrades, and never worry about security updates.
I’m using cron to run daily “sudo apt update && sudo apt upgrade -y” LMAO, what’s the way to use unattended-upgrades?
Thx
Edit: I will stay with cron I believe it’s easier to configure.
sudo apt install cron sudo crontab -e @daily sudo apt update && sudo apt upgrade -y
Easy peasy…
sudo apt install cron sudo crontab -e @daily sudo apt update && sudo apt upgrade -y
I have 20 years of history with the RPM version of this workflow and up to EL6 it was solid like bedrock. Now it’s merely solid like a rock, but that’s nothing to do with the tools or formats but the payload. And as long as it stays acceptably good, this should do us for another 20 years.
Controlling the supply chain is important, though, but is far more scalable where effort is concerned.
Debian. This is the way (for servers).
My server is running headless Debian. I run what I can in a Docker container. My experience has been rock solid.
From what I understand Debian isn’t less secure due to the late updates. If anything it’s the opposite.
I run NixOS. It (or something like it, with a central declarative configuration for basically everything on the system) is imo the ideal server distro.
I think I can sense your love/hate relationship with nixos from here :) you are not alone
Very true haha. NixOS is great and the best I’ve got right now but I would lie if I said it has never been painful.
Especially for desktop use I want to build my own distro which takes a lot from NixOS, mostly in terms of the central configuration but not much else (I definitely want a more sane package installation situation where you don’t need stuff like wrapper scripts which are incredibly awful imo), but also other distros, and also with some unconventional things (such as building it around GNUstep). But who knows if that ever gets off the ground, I have way too many projects with enormous scale…
Always, always, always: Debian. It’s not even a debate. Ubuntu is a mess for using as a server with their snaps bullshit. Leave that trash on the desktop, it’s a mess on a server.
Snaps are meant for server applications but yeah
I tried them by standing up a snap based docker server and it was a nightmare. Never again.
Snaps are meant for server applications
That’s a frightening statement. I don’t work in secret-squirrel shit these days, but I do private-squirrel stuff, and snaps are just everything our security guys wake up at night to, screaming. Back when I ran security for a company, the entire idea would have been an insta-fuckno . Please, carefully reconsider the choices that put you in a position where snaps are the best answer.
why is that?
Do explain with reasoning please!
Always Debian. I’m most comfortable in an environment with
apt
, and that’s even more important on a serverDebian, with a Kubernetes cluster on top running a bunch of Debian & Alpine containers. Never ever Ubuntu.
Never ever Ubuntu
Why’s that?
Because Ubuntu is the worst of both worlds. Its packages are both old and unstable, offering zero benefit over always-up-to-date distros like Arch or the standard Debian.
Especially when you’re running a containerised environment, there’s just no reason to opt for anything other than a stable, boring base OS while your containers can be as bleeding edge, crazy, or even Ubuntu-based as you like.
Gotcha 👍 makes sense
Probably mostly for their corporate fuckery
it’s just less reliable, more corporate, more bloated debian
… so why would you?
I second this. I run fedora on my desktop and debian on the server. Docker works great on debian as well.
@communism Debian is an easy pick, but sometimes I can do alpine. Generally, it’s all in containers anyway, so doesn’t really matters.
I switched mine to NixOS a while ago. It’s got a steep learning curve, but it’s really nice having the entire server config exist in a handful of files.
uCore spin of Fedora CoreOS:
https://github.com/ublue-os/ucore
- SELinux
- Supports secure boot
- Immutable root partition (can’t be tampered with)
- Rootless Podman (significantly more secure than Docker)
- Everything runs in containers
- Smart and secure opinionated defaults
- Fedora base is very up-to-date, compared to something like Debian
How did you set up the intial system?
From what I’ve seen, FCOS needs an ignition file and has no Anaconda installer. I would like to set it up soon too, but it looked like a huge hazzle…Yes you need an ignition file, but you just need to put it on any web accessible (local) host.
I used a docker one-liner on my laptop to host the server:
docker run -p 5080:80 --name quick-webserver -v "$PWD":/var/www/html php:7.2-apache
And put this Ignition file in the directory I ran the above command from.
You could equally put the Ignition file on some other web host you have, or even Github.
That’s it, that’s the only steps.
If you want atomic Fedora but don’t want to deal with the ignition file stuff, check out Fedora IoT.
Thing is, uCore has some very neat things I want, and FIOT doesn’t provide me such a great OOTB experience compared to the uBlue variant.
I’m also not sure if I even should decide for Fedora Atomic as a server host OS.
I really love Atomic as desktop distro, because it is pretty close to upstream, while still being stable (as in how often things change).
For a desktop workstation, that’s great, because DEs for example get only better with each update, and I want to be as close to upstream as possible, without sacrificing reliability.
The two major releases each year cycle is great for that.But for a server, even with the more stable kernel, I think that’s maybe too unstable? I think Debian is less maintenance, because it doesn’t change as often, and also doesn’t require rebooting as often.
What’s your experience with it?
doesn’t require rebooting as often.
You have to reboot to upgrade to the latest image, so you’ll have to get rid of the ideal of uptime with years showing on the clock.
Rebooting is optional, and so far it’s been rock solid. Since your workload is all containerised everything just comes up perfectly after a reboot without any intervention.
I think Debian is less maintenance
Arguably that’s the best feature of an atomic server. I don’t need to perform any maintenance, and I don’t need to worry that I’ve configured it in some way that has reduced my security. That’s all handled for me upstream.
Debian
Debian has been rock solid for me.
It’s not insecure. Quite the contrary debian repositories only include packages that has been through extensive testing and had been found secure and stable. And of course it regularly introduce security updates.
It’s not insecure.
There’s the inconvenient truth: it’s easiest to secure an OS, say for enterprise life, the farther you are from the bleeding edge: churn is lower, the targets move dramatically slower, and testing an install set (as a set) is markedly easier. It’s why enterprise linux distros are ALL version-branched at a given version, and only port security fixes in: if you need to change a package and start the extensive testing, keep it to security fixes and similarly drastic reasons.
So most ent-like distros aren’t insecure; not at all. Security is the goal and the reason they endure wave after yearly wave of people not understanding why they don’t surf that bleeding edge. They don’t get it.
Enterprise distros also offer a really stable platform to release stuff on; that was a mantra the sales team used for Open that we’d stress in ISV Engineering too, as we dealt with companies and people porting onto Open. But ISVs had their own inexperienced types for whom the idea of a stable platform that guaranteed a long life to their product with guaranteed compatibility wasn’t as valuable as “ooh shiny”. But that was the indirect benefit: market your Sybase or ProgressDb on the brand new release and once it’s working you don’t have to care about library rug-pulls or similar surprises for a fucking decade (or half that as you start the next wave onto the next distro release). And 5 years is a much better cadence than ‘every week’.
So while it’s easy to secure and support something that never moves, that’s also not feasible: you have to march forward. So ent distros stay a little back from the bleeding edge, market ‘RHL7’ or ‘OL31’ as a stable LTS distro, and try to get people onto it so they have a better time of it.
Just, now devs have to cope with libs and tools that are, on average, 5 years stale. For some, that’s not acceptable. And that’s always the challenge.
I just use debian cause it’s rock solid and most of what I set up are in containers or VM’S anyways
NixOS for my homelab that I like to tinker with, Debian as Docker host for the server people actually rely on