Question Strategic questions

[Christian_Heutger]

Server operating system version

Almalinux

Plesk version and microupdate number

18

Hi,

I did not got answer anywhere yet. Plesk official contact could not help (it's license support only), always got recommended on using support, but that's no support issue, Feedback seems to be unread, comments on support pages as well (although they are now scrollable again on Safari, which I reported as well).

My questions are about some strategic (I believe so) questions:
1. What is the new "preferred" operating system? To be honest, it always looked like, that Plesk is supporting one OS more than the other. Recently that was CentOS, ending now on 7, now (regarding the banners here in the forum and the script) it seems to be AlmaLinux 8?
2. So next question is, why not AlmaLinux 9? Why isn't it full supported yet? Moving from CentOS 7 to AlmaLinux 8, which is end of feature support (not end of life, but only security support) is a bit stupid. Sure, with CentOS new way and taking the full time of support, there is a version jump right now, but to stay longest time with a long time supported OS (also by features, not only security) CentOS 7 to AlmaLinux 9 is the more intelligent way, however impossible because of limited support. AlmaLinux 9 however is already out for a while, so why is development taking so long to fully support?
3. Also why is the only operating system supported for ARM architectures Ubuntu, which is on one hand as well an older version on the other hand not the recent preferred "scheme" (recently it were RPM-based operating systems) and also has many limitations? AlmaLinux is available for ARM as well, in version 8 as well as in version 9?
4. Going back to limitations, what is about Watchdog? Is this a still supported extension? There is no data available on the updates of the extension to have an idea on how good it is maintained. It's always listed on limitation lists.
5. Watchdog also comes with PHP-FPM services check, which doesn't work as PHP-FPM isn't implemented any more the way, it worked, that was back in the beginning times of CentOS 7. So is this an issue of being unsupported?
6. Also rkhunter being shipped with Watchdog doesn't work out of the box. That's as well no support issue, if you know, what happen on the system itself and be able to check posts here on how to adjust rkhunter configuration to get it running without warnings. However, default as well looks like being unsupported for some time. Also shipping a very old version, older then the latest, which is already old as well, looks like neither rkhunter itself nor Watchdog extension is active supported any more. So what's the decision on that?
7. Last but not least, Plesk has some strange behaviors itself: Installing extensions without user interaction (although explicitly disabled on custom installation, they are installed a day after), on the other hand features like Performance Booster are gone from day to day after. Also that's no support issue, I can blacklist, I can activate the feature again via shell, however, it's not nice, that Plesk is changing itself without activation, notice or user interaction.
8. Also recommendations are "wrong". Enabling (on AlmaLinux it's less worse than it was on CentOS recently) to auto install updates from repository only, which has been used before, broke my installation recently as CentOS moved packages from repository to repository (extras, updates, ...). AlmaLinux seems to have more clear and less repositories, however, I also already saw updates, which may have been skipped and also may have broken my system in future. So disabling the feature is the safer configuration option than enabling.
9. Also missing the recent option to be a late adopter of new features

Regards
Christian

 

[Kaspar@Plesk]

Hi Christian, sorry to read that your questions haven't been answered when asked earlier.

I'd be happy to answer your questions. Please allow me some time to gather all information from the relevant teams.

 

[Kaspar@Plesk]

Hi,

I did not got answer anywhere yet. Plesk official contact could not help (it's license support only), always got recommended on using support, but that's no support issue, Feedback seems to be unread, comments on support pages as well (although they are now scrollable again on Safari, which I reported as well).

Thank you for bringing this to our attention Christian, I’ve raised this internally.

My questions are about some strategic (I believe so) questions:
1. What is the new "preferred" operating system? To be honest, it always looked like, that Plesk is supporting one OS more than the other. Recently that was CentOS, ending now on 7, now (regarding the banners here in the forum and the script) it seems to be AlmaLinux 8?

There is no preferred operating system for Plesk. The choice is all yours.

OS support for Plesk is demand driven. CentOS has always been very popular with our customers and partners. Which has been a solid distro for many years. However the OS landscape is dynamic (and always has been). Ubuntu for example has risen significantly in popularity over the past couple of years. Currently it’s about 50/50 when it comes to the user base of RHEL-based and Debian-based operating systems for Plesk. We do our best to provide the best experience with Plesk no matter the operating system.

2. So next question is, why not AlmaLinux 9? Why isn't it full supported yet? Moving from CentOS 7 to AlmaLinux 8, which is end of feature support (not end of life, but only security support) is a bit stupid. Sure, with CentOS new way and taking the full time of support, there is a version jump right now, but to stay longest time with a long time supported OS (also by features, not only security) CentOS 7 to AlmaLinux 9 is the more intelligent way, however impossible because of limited support. AlmaLinux 9 however is already out for a while, so why is development taking so long to fully support?

AlmaLinux 8 is a logical and solid replacement for CentOS 7 with an almost perfect feature pairing. AlmaLinux 9 is stable and fully production ready, however a direct upgrade from CentOS 7 to AlmaLinux 9 would have been very difficult. It would likely involve an intermediate upgrade to AlmaLinux 8 anyway. While there are some technical limitations for AlmaLinux 9, those are mostly related to 3rd party products/vendors. These limitations are not unique to AlmaLinux 9, nearly the same limitations exist for the newest Ubuntu releases. We are working on birding these gaps where we can (Docker support for example is on our roadmap).

3. Also why is the only operating system supported for ARM architectures Ubuntu, which is on one hand as well an older version on the other hand not the recent preferred "scheme" (recently it were RPM-based operating systems) and also has many limitations? AlmaLinux is available for ARM as well, in version 8 as well as in version 9?

We started ARM as an experiment to gauge demand. At the time we started working on this Ubuntu was the first major disto who prepared their OS for full ARM support. Which is why we picked Ubuntu (along with the fact that Ubuntu has a growing user base among Plesk users). So far the ARM edition of Ubuntu has not gained much popularity among Plesk users. We might consider supporting more operating systems on ARM in the future if demand grows.

4. Going back to limitations, what is about Watchdog? Is this a still supported extension? There is no data available on the updates of the extension to have an idea on how good it is maintained. It's always listed on limitation lists.

We’re actually in the process of gathering feedback about the use of Watchdog to determine where to go next with this extension. The current iteration of Watchdog has pretty much reached end of life. But is still supported on a number of OSes (Alma 8 for example).

The monitoring aspect of Watchdog is based on monit version 4.3 which does not support TLS version 1.2 used by modern OSes. Upgrading to a newer version of monit would require an almost complete rewrite of the Watchdog extensions as much of the syntax of monit has significantly changed. Another challenge is that monit switched a different license model for redistribution. All in all upgrading Watchdog in it's current form is pretty difficult.

Since the incarnation of the Watchdog component many years ago other extensions have become available which offer some of the same features. For example the build-in Grafana based monitoring extension and Plesk 360 cloud monitoring used for server resources monitoring. Creating some overlap with the Watchdog functionality in this regard.

What do you appreciate most about the Watchdog component?

5. Watchdog also comes with PHP-FPM services check, which doesn't work as PHP-FPM isn't implemented any more the way, it worked, that was back in the beginning times of CentOS 7. So is this an issue of being unsupported?

If I am not mistaken this is down to the way PHP-FPM workers are used in Plesk Obsidian. Which differs from the way this was done in Plesk Onyx.

6. Also rkhunter being shipped with Watchdog doesn't work out of the box. That's as well no support issue, if you know, what happen on the system itself and be able to check posts here on how to adjust rkhunter configuration to get it running without warnings. However, default as well looks like being unsupported for some time. Also shipping a very old version, older then the latest, which is already old as well, looks like neither rkhunter itself nor Watchdog extension is active supported any more. So what's the decision on that?

As you already mentioned the rkhunter project itself seems to have stagnated and hasn't received any updates for almost 6 years. While there is no exact replacement, there are other (security and antivirus) extensions available in our extension catalog. Which currently do a much better job in most cases compared to rkhunter. So we feel there is some overlap here too, making the rkhunter aspect of Watchdog less relevant for most users.

If you have any suggestions for a rkhunter replacement, let us know.

7. Last but not least, Plesk has some strange behaviors itself: Installing extensions without user interaction (although explicitly disabled on custom installation, they are installed a day after), on the other hand features like Performance Booster are gone from day to day after. Also that's no support issue, I can blacklist, I can activate the feature again via shell, however, it's not nice, that Plesk is changing itself without activation, notice or user interaction.

A lot of users appreciate the new features we release and enable. The difficulty however with feature rollouts is that different users need different things. Often users aren't aware that some extensions exist and it's difficult to make them aware of these things. Which is why we add them to the default extension stack.

I am not sure about the issue you mention regarding the Performance Booster. The extension is being rolled out gradually, so some users might see this extension on their server while others might not (yet). The rollout is still ongoing, which we hope to finish between September and November 2024. However once the extension has been installed it should stay available on the server. (We’ve issued no action to remove the extension once installed).

8. Also recommendations are "wrong". Enabling (on AlmaLinux it's less worse than it was on CentOS recently) to auto install updates from repository only, which has been used before, broke my installation recently as CentOS moved packages from repository to repository (extras, updates, ...). AlmaLinux seems to have more clear and less repositories, however, I also already saw updates, which may have been skipped and also may have broken my system in future. So disabling the feature is the safer configuration option than enabling.

I am not sure if fully understand what you mean here. Can you elaborate further on this?

9. Also missing the recent option to be a late adopter of new features

Can you share why you are missing the tiered release cycle with the late adopter option?

 

[Christian_Heutger]

What do you appreciate most about the Watchdog component?

I use the service monitoring, disk space monitoring as well as the rkhunter feature. So for disk space I can currently also use an external agent based service, maybe it could also monitor services, however, I didn't saw any similar extension, Grafana only looks as showing resources in a graphical way, Plesk 360 is somehow like UniFi UI cloud console or sth. similar, I don't want a centralized management of my instance for security reasons. The monitoring agent is only an agent gathering information, however, it's only limited free (Hetrixtools). rkhunter also would be fine then a free alternative, however, the database seems to be updated still on AlmaLinux 8.

If you have any suggestions for a rkhunter replacement, let us know.

I have no replacement which is free. For sure, there are many security tools out there, e.g. Tripwire, however, that's no replacement, which may be somehow the same as rkhunter. I believe by shipping the newest version and adjusted conf files, it would be a good starting point.

A lot of users appreciate the new features we release and enable. The difficulty however with feature rollouts is that different users need different things. Often users aren't aware that some extensions exist and it's difficult to make them aware of these things. Which is why we add them to the default extension stack.

So maybe have an option therefor like installing upgrades to install extensions on suggestion (or not).

I am not sure about the issue you mention regarding the Performance Booster. The extension is being rolled out gradually, so some users might see this extension on their server while others might not (yet). The rollout is still ongoing, which we hope to finish between September and November 2024. However once the extension has been installed it should stay available on the server. (We’ve issued no action to remove the extension once installed).

But that's exactly what happened. It has been enabled with a fresh Plesk installation and meanwhile extensions not selected in custom installation, Performance Booster was gone from one day to another. I could activate via the Plesk configuration file setting, but it was a strange behavior.

I am not sure if fully understand what you mean here. Can you elaborate further on this?

On OS update/upgrade settings you recommend to set the setting, that updates should only be installed from the repo, the origin package has been installed from. I did that in the past with CentOS and it broken my installation. Once I changed, that worked. However, meanwhile CentOS rotated many packages like from base to updates or extra AlmaLinux is more "clean", however, Plesk OS update message already had listed packages been updated from another repo and it still worked. So your recommendation had the completely opposite result in the past. It wasn't more secure (and stable), it broke my installation.

Can you share why you are missing the tiered release cycle with the late adopter option?

I liked not to be a early adopter but a late adopter so others could run in bugs and issues and once the Plesk upgrade got installed on my server, it was somehow stable (although a bit later than for others). This feature was available in Onyx and is missing in Obsidian.

Sorry for late response, didn't recognize your response. Notify didn't work.

 

[Kaspar@Plesk]

Thank you for your suggestions and feedback Christian. We will add your Watchdog related suggestions to our current Watchdog research.

But that's exactly what happened. It has been enabled with a fresh Plesk installation and meanwhile extensions not selected in custom installation, Performance Booster was gone from one day to another. I could activate via the Plesk configuration file setting, but it was a strange behavior.

That's odd. I am not sure what could chave caused this.

On OS update/upgrade settings you recommend to set the setting, that updates should only be installed from the repo, the origin package has been installed from. I did that in the past with CentOS and it broken my installation. Once I changed, that worked. However, meanwhile CentOS rotated many packages like from base to updates or extra AlmaLinux is more "clean", however, Plesk OS update message already had listed packages been updated from another repo and it still worked. So your recommendation had the completely opposite result in the past. It wasn't more secure (and stable), it broke my installation.

I am not sure which recommendation you're referring to and without knowing all details it's hard for me to comment on this particular issue. Nonetheless I am really sorry to read that your server got affected. In general for cases like these I recommend to either open a support ticket with out support team for an investigation or (if the it looks like the issue is reproducible) submit a bug report here on the forum.

I liked not to be a early adopter but a late adopter so others could run in bugs and issues and once the Plesk upgrade got installed on my server, it was somehow stable (although a bit later than for others). This feature was available in Onyx and is missing in Obsidian.

We've switched to a different release cycle with Plesk Obsidian necessitating a different release tier system. There actually is an suggestion to bring back the late adopter tier on our UserVoice page, which you can vote for if you like:

Bring back a "late adopter" version

On servers with many users, bugs can have a significant impact on the business reputation and support volume. Plesk once had a "late adopter" option so that updates were not done right after publication, but a bit later, when most of the product issues discovered were already solved by hotfixes...

plesk.uservoice.com

 

[Christian_Heutger]

That's odd. I am not sure what could chave caused this.

I'm honest, sometimes I'm a bit paranoid and try to get the best out of an installation, so I created a new system about 10 times and each time this happened.

I am not sure which recommendation you're referring to and without knowing all details it's hard for me to comment on this particular issue. Nonetheless I am really sorry to read that your server got affected. In general for cases like these I recommend to either open a support ticket with out support team for an investigation or (if the it looks like the issue is reproducible) submit a bug report here on the forum.

"Wir empfehlen, sichere Updates zu verwenden, wenn Sie kein fortgeschrittener Benutzer sind. Willkürliche Updates von Systempaketen von verschiedenen Repositorys können sich negativ auf die Funktionen Ihres Servers auswirken." is the recommendation in your panel itself. Issue happened with CentOS 5 or 6 a long time ago, since that I recreated the server and always disabled this setting resulting in no more issues. You may refer to Sergey Kalmikov, I reported to him that time ago.

We've switched to a different release cycle with Plesk Obsidian necessitating a different release tier system. There actually is an suggestion to bring back the late adopter tier on our UserVoice page, which you can vote for if you like:

Bring back a "late adopter" version

On servers with many users, bugs can have a significant impact on the business reputation and support volume. Plesk once had a "late adopter" option so that updates were not done right after publication, but a bit later, when most of the product issues discovered were already solved by hotfixes...

plesk.uservoice.com

OK, will vote for that.

 

[Kaspar@Plesk]

I'm honest, sometimes I'm a bit paranoid and try to get the best out of an installation, so I created a new system about 10 times and each time this happened.

That's understandable, you want your server(s) to function as best as possible. This sounds like the type of situation on which I could lose my mind too

My recommendation in case you ever encounter this behavior again would be to open a ticket with our technical support team for an investigation. Or post a details bug report here on the forum to help us reproduce the issue so we can forwarded it our engineers for further analysis.

"Wir empfehlen, sichere Updates zu verwenden, wenn Sie kein fortgeschrittener Benutzer sind. Willkürliche Updates von Systempaketen von verschiedenen Repositorys können sich negativ auf die Funktionen Ihres Servers auswirken." is the recommendation in your panel itself. Issue happened with CentOS 5 or 6 a long time ago, since that I recreated the server and always disabled this setting resulting in no more issues. You may refer to Sergey Kalmikov, I reported to him that time ago.

I understand what you are referring to now. I am not sure what would have caused your server to break. That would require an investigation the server itself. All I can say is that, in general, it's recommended to use the "safe updates for system packages" option (which is enabled by default on Plesk Obsidian). I cases where a server is configurated with different (or alternative) system repositories this can cause issues. I am not staying that this has been the case for you, but it's the most common issue related the safe updates.

 

[Christian_Heutger]

I understand what you are referring to now. I am not sure what would have caused your server to break. That would require an investigation the server itself. All I can say is that, in general, it's recommended to use the "safe updates for system packages" option (which is enabled by default on Plesk Obsidian). I cases where a server is configurated with different (or alternative) system repositories this can cause issues. I am not staying that this has been the case for you, but it's the most common issue related the safe updates.

It was breaking, because updates required packages, which have not been "allowed" to be updated. As mentioned AlmaLinux seems to be more "clean" here as recently already CentOS itself moved packages from I believe it was base to updates or extras or sth. similar, however, I recently saw on upgrade reports upgrades as well, which were "cross-repository" although I didn't add any repositories by myself, so only added repositories came from Plesk (it was also about Plesk feature packages). Also usual yum updates wouldn't care of the package repository, so I believe, the behavior of the setting is more away from the "typical" setting than disabling it.

 

[Christian_Heutger]

It was breaking, because updates required packages, which have not been "allowed" to be updated. As mentioned AlmaLinux seems to be more "clean" here as recently already CentOS itself moved packages from I believe it was base to updates or extras or sth. similar, however, I recently saw on upgrade reports upgrades as well, which were "cross-repository" although I didn't add any repositories by myself, so only added repositories came from Plesk (it was also about Plesk feature packages). Also usual yum updates wouldn't care of the package repository, so I believe, the behavior of the setting is more away from the "typical" setting than disabling it.

Just as a followup, I believe the „safe“ setting just can break configurations. If updating anything, although coming from another repository, the path is always getting newer versions, so if a repository isn’t supported well, it will keep an old version. However, once an update being provided, it’s usually backward-compatible, so although any depending library is outdated, it may still work, also it may be able to use a newer version of libraries from another repository but not vice versa. I remember, the old CentOS with this setting got broken because of having once packages moving from repository to repository because of reorganization on CentOS level as mentioned before like from OS to extra or upgrades as well as because of broken dependencies, as the feature seemed not to work on whole installation path level but on package level, so it allowed the main package to update but not the libraries to do so and once, a newer version is required and available in any repository but is then prevented from being installed, this would break configuration. At that time I was required to use as a minimum EPEL repository because of using packages, which aren’t available at CentOS.

 

[mow]

I understand what you are referring to now. I am not sure what would have caused your server to break. That would require an investigation the server itself. All I can say is that, in general, it's recommended to use the "safe updates for system packages" option (which is enabled by default on Plesk Obsidian). I cases where a server is configurated with different (or alternative) system repositories this can cause issues. I am not staying that this has been the case for you, but it's the most common issue related the safe updates.

I think I'm seeing something similar here ... this morning at 6:26, Plesk updated itself to 18.0.63mu3.
Just a minute later, I got a Package Update Manager notification for 108 packages, some of them skipping several versions (e.g. "libc-bin 2.31-13+deb11u10 from Debian-Security for oldstable-security by Debian repo (currently installed version: 2.31-13+deb11u5 from Debian for oldstable-updates by Debian repo)" and "libapache2-mod-php7.4 7.4.33-1+deb11u5 from Debian-Security for oldstable-security by Debian repo (currently installed version: 7.4.33-1+deb11u3 from now repo)"). I suspect the reason was the repo change from now / stable to oldstable, and oldstable-updates to oldstable-security, which obviously wouldn't go well with repo pinning.

This is a very serious security problem as it means that this debian11 did not get essential security updates for months until someone finally fixed the repository configuration in this mu.