Mastodon social network
- Thread starter Keith Miller
- Start date
-
- Tags
- template
To which templates? Are you talking about turnkey? Please ask turnkey, which is not part of the PVE infrastructure.
Just glanced at this - what is scary to me to see is the amount of trust people give to these "turnkey" hubs, as in - supply chain attack anyone?
I wonder if PVE users understand - with the feature to be this neatly integrated - what they are actually getting, from whom.
I wonder if PVE users understand - with the feature to be this neatly integrated - what they are actually getting, from whom.
This!
Nevertheless for me Turnkey is on the more trustworthy part of "the net", at least it is a stable company (with its own interests of course). Downloading some random Docker images from an unknown person with no verifiable reputation is much more... problematic.
Reputation is one reason I do use plain Debian VMs in more than 95% or so. Also my rule is "one service = one VM", so no Multi-Docker-VMs or containers for me. Disclaimer: exceptions exist and prove that rule.
Disclaimer 2: I am talking about my homelab, my dayjob is more stringent...
In the end it doesn't matter whether people download a docker file, a turnkey appilance or a "hel(l)per script" if they don't do their due dilligence.
Concerning trust I think the official docker Image of a Software is more trustworthy than a third-party-container or Script.
It doesn't matter though for people like the /r/homelab-Crowd, they won't listen to advice against trusting helper-acripts/turnkey-appilances or dockerfiles in any case.
This Problem is not pve-soecific though, lxd, truenas, unraid and incus have the same issues, which is more social than technical.
Concerning trust I think the official docker Image of a Software is more trustworthy than a third-party-container or Script.
It doesn't matter though for people like the /r/homelab-Crowd, they won't listen to advice against trusting helper-acripts/turnkey-appilances or dockerfiles in any case.
This Problem is not pve-soecific though, lxd, truenas, unraid and incus have the same issues, which is more social than technical.
I don't think this addresses the point brought into light here, where the OP clearly does not even know the payloads he is getting does NOT come from Proxmox.
So you are comparing e.g. Linux Containers builds that are done with their own tool and I can see everything [1] used with their own tooling that is completely free and open-source with using a 3rp party (in relation to Proxmox) that publishes ... everything possible and provides this kind of README [2] that comes "from upstream source code to /var/www/wordpress"?
[1] https://jenkins.linuxcontainers.org...cture=amd64,release=bookworm,variant=default/
[2] https://github.com/turnkeylinux-apps/wordpress
Yes. Both can be compromised and used for supply chain attacks.
So for me it doesn't really matter whether people download a template from turnkey or from proxmox or truenas Apps repository: In each of these cases they should do their due dilligence before downloading and trusting it.
The proxmox Integration makes deployment easier but it's not a reason people shouldn't be expected to do basic sysadmin work.
The same is true for "helper scripts" expect they are even less trustworthy in my book since they tend to break even when used as designed.
So for me it doesn't really matter whether people download a template from turnkey or from proxmox or truenas Apps repository: In each of these cases they should do their due dilligence before downloading and trusting it.
The proxmox Integration makes deployment easier but it's not a reason people shouldn't be expected to do basic sysadmin work.
The same is true for "helper scripts" expect they are even less trustworthy in my book since they tend to break even when used as designed.
The two cases I took are very different.
I do not know much about TrueNAS, it might be true there.
Maybe a popup on first use?
I know of such, those removing the no subscription popup, everyone applies them and Proxmox did nothing to make it less likely.
Truenas has "official" apps and the possibilty to install custom 3rd Party apps. Technically it's kubernetes up to 24.04 and docker-compose beginning with 24.10.
Obviouvsly this is a potential attack vector for supply-chain-attacks and most users don't really care. I doubt they would be more cautious if there was a popup advising against installing stuff from the Internet without understanding it.
Why? That you shouldn't trust a download from the Internet is common sense in serious system administration. Homelabbers will ignore it nontheless. In the end this will lead to more hellish helper scripts to remove the oh-so-annoying popup.
I always thought the "why" is obvious, because they supposedly care about their users, in this case the case is quite easy to be made - the fact turnkey appears to be a built-in feature does not even make it obvious the user is downloading anything.
This reminds me the argument I received in BZ about firewall that may not load host ruleset is not something to inform users about because those users who rely on it (or keep their 8006 open) are anyways somehow not caring about security, so why let them know.
I don't care for it, but it shows how much users do not matter to Proxmox, the very same users who are however good enough to be unpaid pre-production testers.
But as soon as I install a template I see that something is downloaded. And if I actually bothered to read the manual before (heresy to assume this I know!) I would find following:
So according to the doc the official templates needs to be downloaded as well as the TKL templates. For me the wording is enough to show, that although the download was integrated for easier deployment it's from a third party and should be trusted like any third party application (e.G: First check what's actually in it, then hit "download"). Now I know many people (myself included) doesn't read manuals but play around first. I don't think that this will change, if this feature will be removed (because then even more homelabbers will go the road to hell aka hel(l)per scripts) or another popup is displayed.
I actually agree with the developers on it. Of course it's a security issue (like the cups-browsed root exploit published one month ago) but it's not a big deal if people follow best practice (same story as with cups-browsed). It's way overblown to call this a big issue that during boot firewall rules need some time to get active. Even home users should know better than attach their PVE server directly to the internet.
This goes in both directions: If I don't want to pay for support I pay by being a pre-production tester. In my world this is a fair deal because I can't afford even the community subscription. Even If i had an subscription in the end securing my systems is my responsibility. If I attach a production server to the Internet with some third-party-software without any due dilligence or security measures in my dayjob I propably won't have to worry about this job sooner or later. And if I do this in my home lan and get owned I have nobody to blame but myself. It's not like some enduser software where you can't expect the users not to know how to secure their stuff: PVE is a software designed to be administrated by people who have at least some basic IT operations skills.
I don't think it's a good idea for such software to hold hands with users who don't bother to learn these skills.
I did not meant to end up dissecting wording of the docs. One-time only (on first use) popup about you are using 3rd party templates, link here goes a long way. Blaming users for not reading (or interpreting correctly) documentation is very strange take on it. If Proxmox was licensing out the same way commercial solutions, a lawyer would ask them to make this explicit enough for their own sake.
Not just that, but it is unreasonable to expect anyone to read every single piece of docs - and by definition people do not know what they do not know, so hard to pick the key areas to read on.
Not if it's one-off. BTW The same would be applicable to the "nag" popup that serves no purpose but puts users at risk.
There's no best practice on security published by Proxmox, whatsoever.
This is a reason to return security appliances (mostly from 90s) for a refund. In case of PVE the caveat is that the host stays without loaded ruleset for good in an unlucky case as well.
I noticed on this forum, most things are users fault.
With the caveat it is sneaky (you are not told you are a tester) and you pay double - you test and you get to experience nagging by the very party that mislead you.
In my world, this is taking advantage of those not in the know, be it users (involuntary testers), contributors (licensing IN differently than OUT) and playing victim when caught with pants down.
This is why you deploy something with SLA and you know there won't be any skeletons in the wardrobe.
I have mixed feelings on this one. If they need to resort to nag people for <$100 / yr subscription, then they target and depend on the people who they have to presume have little IT skills.
If I turn this around, if you install e.g. Fedora and add Cockpit, you have libvirt and you are not at risk. So it is possible.
This is not true. It's a reminder for users to tell them, that although PVE is available free of cost, it's development needs to be funded somehow and that running without subscription won't get support. To remind users that in the end somebody needs to pay the bills is not evil but just business as usual.
Yes and this is fine in my book since best practices for Linux (or any os) system administration applies too. A custom guide for PVE would be pointless since it would be redundant and would be needed additional maintenance work to be up to date.
Anybody who runs server software should be aware of it or at least be willing to learn. And even most home users know better than to run their home network directly connected to the internet instead of behind a consumer router like AVMs Fritzbox devices.
The lowest tier subscription does not even provide any support. It is a strange argument to make that Proxmox is dependent on these $10 a month subscriptions and at the same time that PVE is designed for professionals and thus needs not to care for their own users.
To keep the popup there permanently and:
1) knowing that lots of users will be applying dubious patches; and
2) virtue signalling of the product being free license; and
3) keeping the possibility to re-license contribution provided for free to commercial;
is in fact borderline unethical in my book. It certainly made me change my own attitude when someone asks for how to remove the popup here. Initially I used to say "it's a bit in bad taste to ask on this forum", but now I would actively discourage anyone from getting the Community tier.
They do not, I am not at risk if I install stock Debian, sure I have no firewall, but also no services running and my SSH does ship with prohobit-password for root, at the least. Also I get system that auto updates to secure components even if I do not touch /etc/apt/sources.list.
Last edited:
If I recall correctly they used to have the possibility to donate to the project. They removed it since they didn't get any donations through it so now they are sticking with their subscription options. I don't know the finances of Proxmox Server Solutions GmbH but I think it's a save bet to assume that they (like any company not owned by a rich benefactor) need to make money to continue their business. The nag screen is as "unethical" as in several shareware which is free to distribute and use but will nag you to pay regulary.
So yes If you want to get rid of the nag screen without dubiuous patches you will need to pay the lowest tier. If you don't want this (like I do) you will have to live with the nag screen or the consequences of running the software in a not-tested way (with removed nag screen). I don't see any problem with this.
The licence is free, so I don't see any "virtue signalling". If you decide today that you're fed up with developers and the community (which is your prerogative!), you can start a fork immediately and nobody can do anything about it. For me this is strong indicator that the software is actually free software in the truest sense of the word. Obviouvsly this is just my point of view and you (like everybody else) are free to disagree.
You do this since some other weirdo from the internet without any connections to Proxmox Server Solutions GmbH (me) disagrees with you? Ok.
And my take to a free open-source anything is to donate my time with providing contributions, usually.
I did not say the screen in and of itself, I said given the circumstances.
No, I do the patch myself and since it got censored on this supposedly free forum, I publish it on GitHub (and I am still respectful of not including further links here). I went out of my way to make my patch not dubious, i.e. it only removes lines and everyone can see what exactly, in fact they can learn a bit of JS.
I noticed people do not like this word. I do not see anything anything wrong with it. I communicate some virtues, that's what it means to me. The question is if that's all that I do or I actually follow through. There was a discussion on this in the context of the contributor agreement ... aaaand I was going to give you link but now I see you have been party to that. So basically you know that I was called "accusing" Proxmox and "mudslinging" AGPL, which then proceeded to the point where indeed their CLA does say what I had complained about that it does.
This is true but it has nothing to do with free software in my book.
I do this since I discovered how their CLA is phrased. It's purely that on my side.