Virtualmin 6 beta available for testing

Howdy all,

I’ve been banging on the installer and the new virtualmin config-system command, along with some other bits and pieces for the Virtualmin 6 installation process, and I think it’s ready to be called beta. It is, I believe, feature complete now, though some of those features might not work right off the bat.

Changes since the alpha release a week or whatever ago:

• Firewalld is now enabled on systems that support it (e.g. any system with systemd). It falls back to iptables for older non-systemd systems (I think firewalld needs d-bus, and there is no implementation of d-bus without systemd, as far as a I know, so firewalld only works on systemd systems). The iptables fall-back is completely untested. I’m testing on new distros first because those should be what 95%+ of users are installing (you should only install an older system if you’re recovering from a disaster and want to come back up on the same distro and version), and it doesn’t actually do much at the moment. The firewalld setup includes a basic firewall with all of the necessary ports for virtual hosting, and everything else blocked.
• Fail2ban is now enabled and configured with a sensible set of defaults for a Virtualmin system. This includes watching the Webmin log, sshd, some mail related logs, and responding appropriately with firewalld rules (or iptables rules). Again, untested on older distros at this time.

Debian 9 support is underway but isn’t in this release…but, will likely follow in a day or two. Edit: Debian 9 should be mostly functional. Problem reports welcome.

As always, don’t run the installer on a production Virtualmin system. This isn’t an upgrade tool; if you’ve got a Virtualmin system and you’re staying on top of updates, you’re already running a version of Virtualmin and Webmin that has most of these features available (they just aren’t setup by default), as we have rolled Webmin 1.844 and Virtualmin 5.99 (the beta of 6.0) out to all repos including the current repos. Once Virtualmin 6 goes gold and I’m confident it’s working correctly, I’ll roll the virtualmin config-system command out for the old repos, so you can configure the new features in a mostly automatic, and mostly safe, way.

Problems should be expected; so don’t use this new installer if you have to have a Virtualmin server in production in 20 minutes. We support a ridiculous array of distributions and they can be installed in a huge variety of configurations, and my ability to test them all is highly limited by time. So. I welcome feedback. If you try it and it breaks, file a ticket, or just chime in here on this thread.

Also, I’m now welcoming reports about old versions of our supported distros (CentOS 6, Debian 7, and Ubuntu 14.04), so if you want to try it on those, I welcome feedback…but, expect more troubles. I haven’t even tried them yet, though I’ve written code that should accommodate them now (it automatically should use iptables instead of firewalld, and also deal gracefully with not having systemd).

Finally, I bet 32 bit distros are missing packages, so it’s probably not worth trying on those yet, until I have time to go through and insure all packages are in the 32 bit repos.

Let me know what breaks!

Here’s the link to the current beta Virtualmin 6 install script: http://software.virtualmin.com/gpl/scripts/vm6-install.sh

Here’s some github links for the various components of the installer if you find yourself wanting to work on new stuff:

These are the tools the shell script uses to actually perform the installation and configuration. vm6-install.sh sets up package repositories, installs the yum groups or the metapackages, and then uses Virtualmin-Config to perform the initial configuration steps, like turning on services, making service configuration changes, etc.

Virtualmin-Config: a post-modern post-installation configuration tool

virtualmin-yum-groups: Package groups for CentOS and Fedora

virtualmin-lamp-stack-deb: Metapackage for the LAMP stack on Debian

virtualmin-lamp-stack-ubu: Metapackage for the LAMP stack on Ubuntu

virtualmin-core-deb: Metapackage for the Virtualmin core packages on Debian and Ubuntu

Cheers,

Joe

What will happen in situations like mine where all Centos 7 are using iptables instead of filewalld?

What will happen with new installations on Centos 7 if i dont want to use firewalld?

The installation still wants to run on a freshly installed OS; which, if it’s CentOS 7, is gonna have firewalld after install (unless you do a minimal install of the OS).

But, nothing else would change…you’d just configure it to not start firewalld and start iptables instead and remove the fail2ban-firewalld package, if you want to use fail2ban with iptables. So, you’d do the same things you’d do without Virtualmin on the system, but you’d do it after Virtualmin is installed. You could use the virtualmin config-system --include firewall command to setup the iptables firewall once you’ve disabled firewalld and turned it off.

The other option would be a semi-automated install, which is a (mostly untested and undocumented) feature of the new installer. You can pick and choose what bits of the install process you want to use.

We’re not forcing you to use any feature. But, a firewall was a very frequently requested feature, so we did a bunch fo research, testing, etc. and settled on firewalld as the best compromise of features, compatibility across our supported distros, existing Webmin support, popularity, etc. But, we don’t care what firewall you use. The Webmin module for iptables will stick around indefinitely (until a few years after nftables comes along and replaces it in common usage).

If firewalld is available, that’s what the installer sets up. We’re not really making a recommendation; you can use whatever you like. But, the default will be to install firewalld, configure it to be mostly closed by default, and to open up the ports Virtualmin and the services it manages need. It’s in there because people wanted a firewall. Firewalld was a good balance of features, ease of use (kinda), good Webmin support (again, kinda, but we’re improving it for VM6), good support in fail2ban, and it has the bonus of being kinda future-proof, as the filter backend can evolve to suit whatever kernel it runs on.

Fail2ban is orthogonal to the firewall. It gets setup regardless of whether your system has iptables or firewalld. Fail2ban isn’t a firewall, it’s a log analysis tool that adds firewall rules (or performs other actions) based on log activity. It can work with firewalld or iptables.

Bollocks. If you are not forcing anything then why we have to deal with unwanted software and only after Virtualmin installation we can remove/disable to install something else? Why not leaving both to be set after Virtualmin installation? The only one who is using firewalld are (mostly) people new to server management. I rarely see any “old school” person switching from iptables to firewalld.

Can we have this option to be set AFTER Virtualmin installation?

It’s not clear to me where you want reports of problems -
I never could get the alpha installer to work.
I now cannot get the beta installer to work - a stock centos 7 system does this:

CentOS/RHEL Linux 6 and 7 on x86_64
Debian 7 and 8 on i386 and amd64
Ubuntu 14.04 LTS and 16.04 LTS, on i386 and amd64

Bollocks right back at ya.

Here’s another thing I said in that same comment:

“The other option would be a semi-automated install, which is a (mostly untested and undocumented) feature of the new installer. You can pick and choose what bits of the install process you want to use.”

The new installer is flexible as hell. I just haven’t finished documenting it or making it easy to use. You can pick and choose any options you want; as I mentioned, there’s a command for making changes to iptables firewalls, too.

The default is a firewalld firewall for all the reasons I mentioned. You can pick and choose anything else you want. If you can find something more flexible than Virtualmin on this front, I’ll eat my hat (I don’t have a hat…I’ll eat a figurative hat).

This works for reporting problems. Ticket tracker works too.

Can you post the last few lines of /root/virtualmin-install.log? I’d like to know what packages are failing.

That’s actually really close to success, and it’s probably just a missing package. Is this a 32-bit or 64-bit system?

64 bit — it’s perl(Term::Spinner::Color) that’s apparently missing:

Marking ‘Virtualmin Core’ for install: Success.
Spin pid is: 20462
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/epel/packages/clamav-0.99.2-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for clamav-0.99.2-1.el7.x86_64.rpm is not installed
Importing GPG key 0x352C64E5:
Userid : “Fedora EPEL (7) epel@fedoraproject.org”
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-9.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Installing dependencies and system packages: Success.
Spin pid is: 21146
Error: Package: virtualmin-config-6.0.0-4.el7.centos.noarch (virtualmin-universal)
Requires: perl(Term::Spinner::Color)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Installing Virtualmin and all related packages: [2017-06-25 18:54:12 CDT] [ERROR] Failed with error: 1
[2017-06-25 18:54:12 CDT] [ERROR] Fatal Error Occurred: Installation failed: 0
Spin pid is: 21196
warning: /etc/yum.repos.d/virtualmin.repo saved as /etc/yum.repos.d/virtualmin.repo.rpmsave
Removing virtualmin-release: Success.
[2017-06-25 18:54:13 CDT] [ERROR] Removing temporary directory and files.
[2017-06-25 18:54:13 CDT] [ERROR] If you are unsure of what went wrong, you may wish to review the log
[2017-06-25 18:54:13 CDT] [ERROR] in /root/virtualmin-install.log


Dang. I was sure I’d added that package! Should be fixed now for real. Thanks for the heads up!

Soo — something has happened to the posts about the new VIrtualmin 6 stuff - Joe’s initial posts are all missing, and there are just comments - which makes it impossible to retrieve where the links are. Is this intentional to stop people from testing or ???

Not intentional at all. I have no idea what happened there. Two posts have been deleted. That’s really strange.

The link is the same as the previous VM6 announcement: http://software.virtualmin.com/gpl/scripts/vm6-install.sh

I’m gonna look through the logs and see if I can figure out where the heck the original post went.

Weirdly, the content is still in the database, it just isn’t displaying. I have no idea why.

I did a Drupal update a couple days ago…I wonder if it’s somehow related.

Fixed! I have no idea why this changed, and I have no idea why only a handful of posts were effected. But, I found errors about the PHP option always_populate_raw_post_data in the logs, so I disabled that option, and now everything’s back to normal.

Drupal is such a damned mystery sometimes.

Tell me about it, since about 98% of my practice here is Drupal work.
By the way, I DID successfully do an install with the script yesterday - there were a few nits. I’ll post real issues about them when I get a chance. Mostly I was surprised that firewalld was not set up when finished so I could not access port 10000 . After I got that fixed things started working better.

Did you happen to upgrade to PHP 7 ? That was deprecated in 5.6 and removed in 7 -

hey @Joe,
any new ETA on the debian 9 intergration to the installer ?

Yep, I saw the firewalld bug in my own testing. For anyone else that runs into it, you can re-do the firewalld step manually after install with:

# virtualmin config-system --include Firewalld

That’ll complain a bit about some existing rules (also fixed in the next version), but will set up firewalld correctly. It’ll be fixed tomorrow when I have time to roll out a new version.

I’d planned to wrap it up today, but we had a server crash which took most of my day (getting back online wasn’t too long, but I also spent some time setting up a mirror and getting it working with the license server).

server crash sucks, but glad to hear… i have a machines ready to test it just waiting for you hehe