Educational Content

[Johannes S]

You are spot on and lots of people forget it's also putting one's reputation on line. Imagine you pass on this and that piece of information from a wiki page (which changes how the wind blows), only that to be found defective.

Ok, I guess universities and providers of professional trainings operate differently then. I'm quite sure my unviversity teachers never really cared about whether their professional reputation was put to risc by not using anything official since they didn't even used any official slides or logos at all most of the time. Except maybe on the first slide, which explained that e.g. Java was first developed by Sun and is now owned by Oracle. The only official logos I saw in every damn lecture were the logos of the university and their institutes. Another explaination might be a cultural difference between Germany (where I live) and other parts of the world.

Consider one more thing, Proxmox are a rather boutique company, if they started to become very popular, a big player will offer something that the majority shareholder would not be able to reject and there goes your "alternative", so maybe everyone here should be happy they are not punching above their weight, in this sense.

That Proxmox would benefit in the long term from a "education tier" is a no brainer I agress. But as far I know right now they are busy enough in dealing with the new demand of potential customers and partners due to the Broadcom situation.
And for professional training providers they have their partner program. I can unterstand that they hesitate to share their material for partners with non-partnered institutions.
Concerning the ticket you brought up: As far as I can oversee there was a quick reaction by the developers who discussed the issue and thought about potential solutions. I can understand that you are not satisfied with this result but "We don't think this is a problem in the real world" is different from not reacting (which was the way your description here was phrased). How is this different to other vendors who declare a customers wish "out of scope/won't fix" etc?

 

[esi_y]

I'm quite sure my unviversity teachers never really cared about whether their professional reputation was put to risc by not using anything official since they didn't even used any official slides or logos at all most of the time.

Could you get away with wikipedia citation in your thesis?

That Proxmox would benefit in the long term from a "education tier" is a no brainer I agress. But as far I know right now they are busy enough in dealing with the new demand of potential customers and partners due to the Broadcom situation.

That's a good problem to have.

Concerning the ticket you brought up: As far as I can oversee there was a quick reaction by the developers who discussed the issue and thought about potential solutions. I can understand that you are not satisfied with this result but "We don't think this is a problem in the real world" is different from not reacting (which was the way your description here was phrased). How is this different to other vendors who declare a customers wish "out of scope/won't fix" etc?

The part I was getting was the no-security-bulletin situation basically. I only put it in the context of your explanation why you are not migrating. If you find this contentious topic, much less controversial is no 24/7 support from vendor directly. These things matter.

NB If you meant "not reacting" on being silent, this concerned the AGPL/Contributing thread.

EDIT: On a second thought, it's also kind of telling that asking for security announcement (mechanism) is met with no more updates.

Imagine your CTO is used to the likes of: https://confluence.atlassian.com/security/security-bulletin-october-15-2024-1442910972.html

With Proxmox products, you securing your business looks like this:

https://forum.proxmox.com/threads/cve-2023-0330.124195/

https://forum.proxmox.com/threads/is-this-cve-2023-43320-vulnerability-fixed-in-8-2-1.153795/

Running systemd-analyze security also won't make you cheer much.

 

[Johannes S]

Could you get away with wikipedia citation in your thesis?

Of course not but a thesis is a different case than a lecture. A more appropriate comparison would be a laboratory as part of a bigger module (.
I had this for databases (lecture on modelling and running relational databases and a lab for learning realworld modelling software and SQL). S . Of course some forum thread or wikipedia wouldn't get me a good score. But for example configuring the used relational database systems cache to a certain treshhold of available system ram and explaining "I did this, because the official manual recommended setting these treshhold to 20% of system ram" would have been fine. The notes of the actual lecture (if they contained something fitting) or saying "The prof. recommended it in the lecture for these kinds of setups" would have been ok too. We didn't had virtualization in the curriciulum at that time (which shows my age I guess ) but it wouldn't been different in the modus operandi just another person with a CS PHD as lecturer.

That's the reason why I suspect that the issue is mainly a cultural conflict (between US and Europe or between academic and more vocational training oriented approaches or both).

The part I was getting was the no-security-bulletin situation basically. I only put it in the context of your explanation why you are not migrating. If you find this contentious topic, much less controversial is no 24/7 support from vendor directly. These things matter.

NB If you meant "not reacting" on being silent, this concerned the AGPL/Contributing thread.

EDIT: On a second thought, it's also kind of telling that asking for security announcement (mechanism) is met with no more updates.

Imagine your CTO is used to the likes of: https://confluence.atlassian.com/security/security-bulletin-october-15-2024-1442910972.html

With Proxmox products, you securing your business looks like this:

https://forum.proxmox.com/threads/cve-2023-0330.124195/

https://forum.proxmox.com/threads/is-this-cve-2023-43320-vulnerability-fixed-in-8-2-1.153795/

Running systemd-analyze security also won't make you cheer much.

Well I'm not really a big fan of the CVE metrics per se but even with it: This wouldn't be the main issue. With the same reasoning the whole use of Linux could been argued against due to the flood of CVEs sind the kernel developers are allowed to issue them.
Concerning atlassian: If I understood your bugzilla ticket correctly the proxmox developers don't want to support EOL systems. I'm quite sure Atlassian is not different although my coworker who is responsible for running our jira/confluence has paid time off today so I can't ask him for confirmation.
systemd-security analyze is a metric. It's quite a useful metric (since it shows how much the sandboxing options of systemd are utilized by a certain service) but not more and not less. And I think it's logical that a hypervisor who works with system stuff can't limit it's use of things like cgroups, networking etc without breaking it's own function. So the findings will always need to be seen in it's context like with every metric. For example while the CVE list for Proxmox might be rather small (since only including stuff made by Proxmox Server Solutions) the lists for Debian (System upstream) and Ubuntu (Kernel Upstream) are a lot larger. Does this mean that Proxmox VE is more or less secure than it's upstream? And in todays state of the world most companys will have a CVE scanning plattform running, whose which findings will be needed to be interpreted.
I agree that the lack of 24/7 support options actually is imho the biggest issue why enterprises won't adopt PVE. This is something I fully understands: Of course C-Level wants to have some kind of issurance that if SHTP the vendor has to take the responsibility instead of inhouse IT or C-Level themselves. This however is not a technical issue and will (at least) become better if the partner network gets bigger.

 

[esi_y]

Of course not but a thesis is a different case than a lecture.

PVE uses it in the technical docs, I have never seen it before.

Well I'm not really a big fan of the CVE metrics per se

I did not mean specifically marking it as per CVE, because ...

If I understood your bugzilla ticket correctly the proxmox developers don't want to support EOL systems.

Not at all, it's the attitude of (towards the current last post) of basically fixing things (so consider it important enough) while not bothering to let anyone running (current system) know what they are running. Atlassian (not my favourite, I just had it open at the moment) is not ashamed of publishing bugs.

And I think it's logical that a hypervisor who works with system stuff can't limit it's use of things like cgroups, networking etc without breaking it's own function.

That's not the issue, the issue is that e.g. the said BZ makes a statement on how users having open 8006 are beyond help anyways (which was not the point of the BZ to begin with), but is nowhere in the documentation and apparently is not going to be. Yes it is obvious to me that something where everything runs as root better be on own VLAN, but then it's also obvious to me that one has to ship a firewall with a failure mode "DROP everything", nothing else passes. I understand I might not be the most popular BZ filer, but there's just no excuse to have that approach to fixing anything security related that was exhibited in that thread.

Does this mean that Proxmox VE is more or less secure than it's upstream?

I will intentionally go a bit further now, as there was once the saying e.g. "no one ever got fired for buying [fill in]", procuring PVE in many of those supposedly target organisations may get you fired as it is today. This is not because someone ever ships software free of bugs, it is how they are approached.

Everything above was me pointing towards this as a counterpoint to what you mentioned about why your organisation only lacks features in PVE.

I agree that the lack of 24/7 support options actually is imho the biggest issue why enterprises won't adopt PVE. This is something I fully understands: Of course C-Level wants to have some kind of issurance that if SHTP the vendor has to take the responsibility instead of inhouse IT or C-Level themselves. This however is not a technical issue and will (at least) become better if the partner network gets bigger.

But you can't virtually ask people to work for free (the OP) on behalf of other organisations.

Just in case it sounded that I somehow am here to rile up anyone, I really have no stakes in this game, but my point basically is that the other always-mentioned products are not competing with PVE (I know for supporters this might be hard to accept), there are others that quite viably do. And if one day it started to, it would be bought out because it's just how the world works.

 

[LnxBil]

No you would not, the quality is not there, the culture is not there, the guarantees are not there and no CTO that was used to that level can tolerate e.g.: https://bugzilla.proxmox.com/show_bug.cgi?id=5759

VMware does not even has a firewall and but a LOT of other problems that CTOs can't tolerate either, e.g. lack of proper trimming support, still using files for VMs and snapshots are discouraged due to a performance penalty? Are we living in the 90s? Nice that they implement stuff that may be of use for fortune 500s, yet the simple stuff is not there.

 

[esi_y]

VMware does not even has a firewall and but a LOT of other problems that CTOs can't tolerate either, e.g. lack of proper trimming support, still using files for VMs and snapshots are discouraged due to a performance penalty? Are we living in the 90s? Nice that they implement stuff that may be of use for fortune 500s, yet the simple stuff is not there.

If you noticed, I rarely quote specific other solutions, I am not on Proxmox forum to propagate others. There are exceptions when a new user is trying to make PVE work really hard what would have been obviously way easier off with libvirt on ordinary Linux distribution, especially when they have no idea if it's the PVE kernel that is letting them down. I also do not recommend e.g. Xen to someone browsing through THIS forum.

So I was NOT comparing to VMware.

My point above was mostly related to the business setup of Proxmox, not technicalities. I can't have a provider like that in many circumstances because of the way they run it.

If you are getting at THE firewall topic - this is THE ONE instance where I would say ... give me a firewall that works 100% of the time or do NOT give me ANY. Marketing-wise it's nice, but it should NOT be called a firewall if it's intra-guest packet filter (this is, when it does not fail to load its rules). But there's the other thread for that if you wanted to discuss it. It seems the trend is to keep it hush instead (back to the "culture" point).

Also, that something is badly implemented elsewhere is a poor excuse to not have it properly done.

 

[LnxBil]

And if one day it started to, it would be bought out because it's just how the world works.

That may be true for the US, yet here in Europe and especially in the German speaking countries, it is a little bit different. We do not have many companies that are publically traded, most of them are privatly owned and so just buying it up does not work so easily. The highest goal for our companies is not the IPO, but to work as we like and no one can tell us what to do (like in a publically traded company the shareholders can).

 

[esi_y]

That may be true for the US, yet here in Europe and especially in the German speaking countries, it is a little bit different. We do not have many companies that are publically traded, most of them are privatly owned and so just buying it up does not work so easily. The highest goal for our companies is not the IPO, but to work as we like and no one can tell us what to do (like in a publically traded company the shareholders can).

I did not say hostile takeover (let alone IPO), I said offer that will be hard to reject. To a private business. If you are saying no price is high enough for Martin and Dietmar (you do not want me to use the word "shareholders"), that's your opinion (that might be valid, today).

 

[esi_y]

@LnxBil There's all the other threads on the technical topics, my point in this one was, the educational content related, that OP was essentially encouraged to do bidding for what is a business entity, for free. Let's not forget Proxmox is a business. I am not going to be making statements like <5 member company or so, as if to disparage them (I have no issue with small companies*). But looking back at my GPL topic, I just cannot be persuaded to e.g. contribute to business under contributor license with zero remuneration (when other projects do just DCO). If I contribute with GPL somewhere I want it to stay GPL, not let a business to then go on dual license, etc. But again, they are a business, they can do as they please.

EDIT: There's one exception though, this has not much to do with ownership structure, but the terrible case of groupthink I have witnessed in the last couple of weeks preventing such (small) team from working issues out rationally.

So please stop asking people to provide their most valuable thing in life - time - to a business - for free.