↩ FromTimeToTime that introducing docker into the mix would make the server a lot easier to manage at the root access level
It really wouldn't. It adds extra complexity and to be brutally honest, doesn't give us any benefits. We're not trying to dynamically scale our capacity, or run multiple identical copies of the same environment. The current setup gives us a much greater level of flexibility that we actually need.
↩ FromTimeToTime but it was also mentioned that the server hardware won't support docker.
It's not strictly true. The technology (OpenVZ) does as of a couple of years ago support docker, and I run docker inside some of my OpenVZ containers for very specific things that are easier to do this way. The way some things like Petro use docker doesn't play as nice though.
↩ FromTimeToTime also, i sent a few security suggestions to ryan.wild@[atlas website] 20 days ago because that was listed as a security contact in a forum thread. should i use os-security-reports instead?
It was honestly probably ignored, if it wasn't coming from a reputable e-mail address / someone I recognised and all that, it will have gone to spam.
If there are security issues that are genuine threats, os-security-reports[AT]atlas-media[dot]co[dot]uk is the e-mail to use to report those.
If they are suggestions around improving how TF handles it's security, then forum posts are the most appropriate way to do it, because TF's security is linked, but not the same as ATLAS's wider security posture. It's also worth noting that our approach to security evolves over time, and we don't generally publish the exact security lock down information for our hosts, things have changed more than a couple of times since I took over as we've evolved onto different setups and different requirements have come up.
↩ FromTimeToTime with the panel, the server, and the website in the same docker network, they could seamlessly interact, allowing for a schematic system and anything else you would want to add.
It also introduces a single point of failure for the entire network, and would require a substantial single KVM VPS to make it work properly or again, you go back to the same issues we already have, and it defeats the point. But again, with our current direction of travel I see no reason why Docker is the better choice over what we have.
↩ FromTimeToTime the panel could be behind an IP whitelist
This is really really bad security practice, and breaks both the models of zero trust networking along with NCSC Published guidance around security policy.
↩ FromTimeToTime have its own auth just to be safe
Which unfortunately introduces the exact issues I've referenced in replies to Video.
↩ FromTimeToTime the only thing is to do that we might need to abandon one or more of our providers, like OVH or Hetzner.
Given we only use a single provider (Superior-Networks), and that won't be changing, this would either be a blocker or non-issue.
↩ FromTimeToTime as an op, this is beneficial because the server would be able to restart itself unless manually stopped
It already does this with the current setup.
↩ FromTimeToTime and when bugs are reported, devs could more easily debug them in the panel.
This is exactly what we want to avoid, we have a development server for a very good reason...
↩ Telesphoreo Docker doesn't work with OpenVZ. If you go to the Superior Networks website you'll see that the vps's use OpenVZ.
I have covered this in the earlier reply on this post so won't re-hash that.
↩ Telesphoreo That's why I theorized it because I have no idea if wild is using OpenVZ or not for TF or just the Superior Networks servers.
TF is on OpenVZ and for now would have to stay there, at least for Freedom-01, I am looking to start moving VPS's over to KVM subject to there being no hick-ups, and some TF Servers like the GMOD were on KVM anyway. Freedom-01 unfortunately has a rather unpredictable world growth size and so being able to quickly and easily change the disk quotas without needing to do higher risk activities such as re-partitioning disks which can be time consuming and generally requires an outage.
↩ Telesphoreo The reason it doesn't affect other companies like OVH VPSs is because they use KVM.
Most don't actually use KVM, a lot have weird hybrids. AWS for example have used Citrix, Xen, KVM and are now running a custom hybrid. But they generally give you as a user the benefits of pure KVM.
↩ Telesphoreo The difference is that instead of a shared kernel, each instance can have their own kernel (I think?).
Yes, it's exactly this. It's also "Fully isolated" from the host machine, which has pro's / con's depending on what you're after. For TF given I run the host and the VPS's having it not fully isolated up to now has allowed us to much more effectively scale the server up.
↩ Telesphoreo Generally speaking KVM is the best way to go
For most things I do agree, I'm less confident on that being the right position for the Freedom gamemode unless we went back to regular world wipes, which is something the community really doesn't want.
Sorry this reply came later than some of the others, it was a bit more technical and I wanted to be at my PC to reply rather than trying to do it on my phone!
For those interested, Superior Networks is currently looking at moving the workloads off of OpenVZ - https://twitter.com/Wild1145/status/1431022505079316481 - It's just going through some testing at the moment to ensure that it is the right thing for what we want to do and that there isn't a better option to give us the best mix of performance, scalability and cost effective business.
