Blog

Project Status. Debian 7, Ubuntu 12.04.

New versions of our packages have recently been released. These include some minor fixes to the base system and the addition of repositories compatible with Debian 7 and Ubuntu 12.04. You can find the updated release at the regular location.

Launch OpenApp NAP firewall and loadbalancer

In August last year we introduced the OpenApp images. OpenApp is a collection of useful, OpenPanel based, virtual server images, providing support for a single website and application, such as WordPress, Joomla or MySQL.

For single instances of an application OpenApp is the perfect solution but we also saw demand for a fully functional load balancer and firewall that can be controlled via a simple interface.

This is why we have developed OpenApp Networking App (OpenApp NAP): An Open Source loadbalancer / firewall supporting High Availabilty setups and offering a friendly and elegant user interface. You can find it on our site and Wiki. We will release a handy VMware image soon.

OpenApp NAP consists of the following:

  • Loadbalancing via Keepalived
  • Firewalling and NAT’ing through IPtables
  • A High Availability master-slave setup is possible (also using Keepalived)
  • VPN possibility via PPtP
  • Backups, updates and alert mails can be automated.
  • All functionality manageable via an easy to use interface.

OpenApp NAP is currently based on Ubunty 10.04 LTS, offering all benefits of the Ubuntu LTS support. Support for IPv6 loadbalancing is underway and will be offered once we upgrade to Ubuntu 12.04 LTS.

With OpenApp NAP we hope to have created yet another useful OpenPanel implementation. We would like to invite system administrators to try it out and use it. All feedback is welcome.

Distribution-specific builds

For quite some time now, we’ve attempted to distribute OpenPanel as a single set of packages. In theory this works fine, as ABI changes should be reflected in Debian’s package names. However, more and more problems came up lately where older versions of libraries vanished from newer distributions and Ubuntu has shown more ABI-divergence from Debian than we anticipated.

To solve this problem, we’ve decided to create separate builds for each of our supported platforms: Debian Lenny and  Squeeze, Ubuntu Lucid and Natty. For now, Ubuntu Oneiric and Precise point to Natty’s packages, and Ubuntu Maveric points to Lucid’s packages. Note that these platforms are not supported (yet).

To switch your OpenPanel installation to the new packages, you’ll need to change your /etc/apt/source.list. The basic syntax is:

deb http://download.openpanel.com/deb <distribution> main 
deb-src http://download.openpanel.com/deb <distribution> main

where distribution should be replaced by the code name for your distribution; either lenny, squeeze, wheezy, lucid, maverick, natty, oneiric or precise.

For OpenApp, append openapp to the deb line:

deb http://download.openpanel.com/deb <distribution> main openapp
deb-src http://download.openpanel.com/deb <distribution> main openapp

Keep in mind that Ubuntu 10.04 Lucid is presently the only supported distribution for OpenApp; other distributions might just work, but we’ve never tested it.

OpenApp: 1.1 Version and New Images

On the 31st of August the OpenPanel team released OpenApp, a series of Ubuntu 10.01 LTS based packes that are optimised for a single application or website. OpenApp runs a stripped down version of OpenPanel with some extra functionality specific to the relevant software. OpenApp turns out to be quite popular because users can quickly deploy optimised servers allowing them to focus on their business instead of becoming installation experts.

OpenApp is available as a package and also as VMware image. Since the launch we have added 3 applications and we currently offer the following versions:

The complete OpenApp wiki can be found here.

Today we launched the 1.1 version adding the following functionality:
* You can activate FTP uploading from the control panel.
* Backups can be made or removed from the interface.
* Control automatic updates of system software from the interface.
* Packages are signed using our GPG key

Besides the above points we fixed bugs and made various small improvements. The next steps will be to add more backup and update management and a bugtracking image. Please let uw know if you have any ideas about how to make OpenApp more useful to you.

OpenApp images launched

Because OpenPanel is an elegant and light solution a large number of OpenPanel users are using it to host a single site or web application.

These users did get a lot of unused multi-site OpenPanel functionality however, while at the same time missing some functionality. Think about the possibility to change access setting in the application or to arrange backups. After the environment was configured it is sometimes difficult to keep the software up to date.

OpenApp is a series of Ubuntu 10.04 LTS based packages. Each package offers one popular application and runs a single-site version of OpenPanel that is optimised for the relevant application. These configurations are alos available as VMware images on our download page. OpenApp is ideal for owners of serious websites and developers. It could be used by cloud providers to enhance their offering of configuration alternatives.

Deploy – You can easily deploy an openapp image by taking an Ubuntu 10.04 install and execute “apt-get install openapp-[joomla / rails / wordpress etc.]“. Alternatively you can download and deploy the relevant image.

Update – We will keep the packages up to date so the system software will be easy to update using “apt-get (dist-)upgrade”. The application can be updated using its own interface.

Backup – You can create tarball based backups to rebuild your server or to create a clone of your environment.

Tuning – openapp Tuning automatically tunes the database and web server to optimise performance on the WordPress, Joomla, MySQL and Ruby images.

We currently offer the following configurations:

The 4 images we currently offer will soon be expanded with Drupal, Apache Tomcat and Symphony appliances. After that we will add more popular applications. We will also make it easier to manage backups and updates via the interface.

Even though these packages carry a 1.0 label, they’re pretty fresh. We expect that they are mostly bug free, but any feedback is welcome. We would especially like to hear it if you get stuck anywhere and do not know what to do.

1.1

It’s been quiet for a while, but that does not mean we have not been busy. Today, we release OpenPanel 1.1. Apart from a big bunch of minor fixes and tweaks, 1.1 brings:

  • a revised GUI that now fills browser windows
  • support for configuring HTTPS
  • per-domain spam filtering with SpamAssassin
  • IPv6 is now officially supported
  • Official support for Debian 6, Ubuntu 10.04 and Ubuntu 10.10

Development of 1.1 happened primarily on Ubuntu 10.04 but we have tried to test on Debian 5, Debian 6 and Ubuntu 10.10 too. Anything that works on one of those but not all of them will be treated as a serious bug!

You can find upgrade instructions on our download page.

After 1.1, we will spend some time focusing on a new project called OpenApp, which will revolutionize appliance hosting ;)

Openpanel on embedded hardware

Lacie NetworkSpace2

In the past months, there has been some demand for Armel support for OpenPanel. We never really got around to fixing the bugs which stopped the platform from working. Part of that was priorities: OpenPanel is in production on Intel and AMD processors, so fixing bugs for those platforms takes precedence. Another part was lack of hardware. The latter changed recently when a friend offered us access to his LaCie NetworkSpace2 running Debian Squeeze. He had already compiled OpenPanel from source, and he was experiencing all the known bugs for the Armel platform. He gave us root access to the machine, so we could research some issues. We spent a few late evenings on the target, and we managed to fix all of the most annoying bugs.

OpenPanel is far from mature on Armel. The userbase is slim and we don’t actually test on the platform. However, we have set up our automated builder to build Armel binaries, so you can test easilly. To use it, add “deb http://download.openpanel.com/dev lenny main” to your sources.list. Be advised that these are bleeding edge builds; we don’t actually test these and they tend to break frequently. Eventhough Armel will not be an officially supported platform for OpenPanel 1.1, we will provide stable builds for Armel.

Secure downloads

Recently, a 0day security flaw was published for ProFTPd. The ProFTPd crew responded quickly, and patched the flaw within a few days. Unfortunately, the server used to host the source code got compromised, and criminals were able to add a backdoor to the source code on the official distribution servers. Even though the added backdoor invalidated the provided gpg signatures, it took three days for the issue to be found and fixed.

The true problem with signing the source code is that it’s not a way to protect your users. It is a way to allow your user to protect themselves. If users don’t check the signatures, they are not protected. While checking a signature isn’t particularly hard, it’s quite a bit of extra work. In addition to downloading the tarball, you need to download the signature, obtain and verify the key, and verify the signatures. These extra steps take quite a bit of extra time, and most users don’t want to spend that time. Fortunately for debian-users, apt-get can do most of these tasks for you automatically.

Though apt-get automates most of the work for you, there is one step which needs human intervention: verifying the key. If our download server is compromised, the attacker could not only replace the sourcecode and executables, he could also replace the signatures and the public key we host there. Once both the public key and the signatures are compromised, new users have no way of knowing the signatures are fake. Fortunately, our public key is also hosted elsewhere (in all public key servers). The ID is 4EAC69B9.

You should always check the key before importing it, but we’re aware few people actually do that. To reduce the risk, our download server (which hosts the signed content) and our webserver (which provide instruction for getting the key) are independent machines on independent Linux distributions with very different software profiles. Both machines would need to be compromised in order for the user to be tricked into downloading compromised code. Though this is certainly not impossible, the likelyhood is low.

IPv6

We expect IPv6 to be a very hot topic in 2011. According to all but the most optimistic forecasts, we’ll run out of IPv4 addresses this year. Oddly enough, IPv6 isn’t very popular at the moment: only a small percentage of the domains we encounter on a daily basis provide an AAAA record. Very few clients can actually access IPv6-only servers, and virtually no clients are IPv6 only. The online world seems oblivious to the impending doom caused by IPv4 shortage.

OpenPanel can be accessed through IPv6, courtesy of Pound, the SSL proxy we use to secure the interface. All features are IPv6-compatible. IPTables allows for IPv6-specific rules since version 1.0.2 of that module. Unfortunately, the openpanel-cli client has remote server support which is currently limited to IPv4.

We intend to drop Pound for 1.1, with OpenPanel taking care of its own SSL and IPv6 connections. Once that is done, openpanel-cli will support IPv6, too. So for the purists among us: OpenPanel 1.1 will be fully IPv6 compliant.

Operating system breakdown

After two weeks of OpenPanel the shape of our community is becoming clearer and clearer. While the distribution of operating systems is interesting,  we’re not really surprised. Right now we only officially support Debian 5, so it was to be expected that the majority (54%) of our users are using that.

What is surprising is the prominent presence of Ubuntu, which is not officially supported for 1.0. While we did some testing on Ubuntu, there were still a few small issues. Fortunately the Ubuntu users reported their issues, and most of them could be resolved in a point release. Right now, OpenPanel 1.0 seems to run fine on Ubuntu 10.04 “Lucid” and 10.10 “Maverick”. Because of this, we’re pleased to announce that these targets will officially be supported under OpenPanel 1.1.

Project supported by CloudVPS a leading European cloud server provider.