I think the main selling point for SME (wtih a small IT team) is that Proxmox is very easy to setup (download iso, install debian, ready to go). CloudStack seems to require a lot of work just to get it running: https://docs.cloudstack.apache.org/en/latest/quickinstallati...
Maybe I'm wrong - but where I am from, companies with less than 500 employees are like 95% of the workforce of the country. That's big enough for a small cluster (in-house/colocation), but to small for something bigger.
Yeah. The keys here are 'easy' and 'I can play with it at home first'. Let's be honest, being able to throw together a bunch of old dead boxes and put proxmox on them in a weekend is a game changer for a learning curve.
The main reason I never tried OpenStack was that the official requirements were more than I had in my home VM host, and I couldn't figure out if the hardware requirements were real or suggested.
Proxmox has very little overhead. I've since moved to Incus. There are some really decent options out there, although Incus still has some gaps in the functionality Proxmox fills out of the box.
PLEASE DON'T DOWN VOTE ME TO HELL THIS IS A DISCLAIMER I AM JUST SHARING WHAT I'VE READ I AM NOT CLAIMING THEM AS FACTS.
...ahem...
When I was researching about this a few years ago I read some really long in-depth scathing posts about Open stack. One of them explicitly called it a childish set of glued together python scripts that fall apart very quickly when you get off the happy path.
> When I was researching about this a few years ago I read some really long in-depth scathing posts about Open stack. One of them explicitly called it a childish set of glued together python scripts that fall apart very quickly when you get off the happy path.
And according to every ex-Amazoner I've ment: the core of AWS is a bunch of Perl scripts glued together
I use vyos instead of OpenWRT, but I'd presume OpenWRT can mirror a port? It'd be better to do it on your switch of course. But you could mirror your traffic going across the LAN-WAN barrier and direct it to a security onion install, it's an opensource IDS. It has pretty heavy demands, but traffic analysis is not an easy, computationally cheap task.
Consumer vendors for routers/firewall combos are trash, but I think they'd go a long way in helping people by having an easy to turn on IoT vlan.
Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.
Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.
Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.
> Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
They are.
But there's precedent: Manufacturers spent years shipping consumer routers that worked out-of-the-box with default wide-open networks with SSIDs like "NETGEAR" or "linksys," which was gloriously insecure.
Some folks were sure back then that this could never change, but it has changed. These days, such devices generally reasonably-secure by default.
It can presumably change for Matter and IoT, too.
(Except the rabbit hole is kind of interesting, because... The usual method of setting up a Matter device means scanning a QR code with a pocket supercomputer to begin the process of connecting the Matter device to whatever wifi network it is that the pocket supercomputer is currently using.
And this does work for getting a Matter device online, but it doesn't allow for easy separation of network roles.
So the routers will need to change, and the Matter setup process will also need to change. Shouldn't take more than another decade or two for both things to get accomplished, I suppose.)
Matter-over-thread can be added typically without any WAN connection. Just need the QR code. And in a recent revision to the spec they added provisioning via NFC, which will be great since some devices have easy to lose QR codes.
Shoutout to Mikrotik for being the only consumer vendor with good router/firewall combos. I recommend getting one if you're comfortable doing a bit of work to setup a secure home network.
EnGenius EWS377AP WiFi 6 4x4... Been pretty good for a few years now... Considering going back to Ubiquiti for Wifi 7 at some point, but this has been good enough for my needs, and my work/personal desktops are all wired 10/2.5gb so no real issues practically.
It doesn't reach as far outside of my home as my older Ubiquiti AP seemed to reach though... I could get almost a block away before my phone would drop when driving. Now it cuts out in the driveway... and less than halfway into the back yard... single AP on middle of second floor ceiling. Had considered additional unit for back yard coverage.
I have a Framework Ryzen AI 300 series. Had the screen flickering after a kernel update several weeks ago. Fix was to add "amdgpu.dcdebugmask=0x2" to the grub kernel cmdline. Running Fedora 43, fully up to date as of yesterday. I sadly can't find the official forum thread about it. Hope it helps though.
Which is what makes Linux kernel stand out, as we can see by Sony and Apple contributions upstream.
Had BSD not been busy with AT&T lawsuit, all major UNIXes would probably still be around, consuming whatever was produced out of BSD like the networking code and OS IPC improvements over AT&T UNIX.
Instead sponsoring Linux kernel became the plan B, as means to reduce their UNIX development costs.
> Commercial use began when Dell and IBM, followed by Hewlett-Packard, started offering Linux support to escape Microsoft's monopoly in the desktop operating system market
Ironically the major contributor to many GNU/Linux critical components, Red-Hat, is now an IBM subsiduary, recouping that investment beyond doing only Aix.
It is no accident that all FOSS OSes that came after Linux, none of them has adopted GPL, as big corporations would rather not be obliged by it.
Of course big corporations would rather not be obliged by the GPL. But my feeling is that, if we give them the option to grab the code without contributing back their improvements, they would just do that. In the long run, this risks harming the OSS community, as developers would feel like big corps are being leeches and profiting out of their work without giving anything back.
After all, the GPL forces to contribute back only if you modify and distribute a modified version of the software (the AGPL modified this point, to account for cloud services). A corporation that isn't modifying GPL'd code or isn't redistributing the modified binaries, doesn't incur any additional burden for using a software distributed under the GPL.
It is no accident that Google has removed everything GPL out of Android, falling short of the Linux kernel, and they haven't done the final step with Fuchsia/Zircon mostly due to what appears internal politics.
Gentoo is a Linux rolling release built from source (just recently they gave the option of using binary packages as well). I've ran it on my desktop for years.
You mean the *NIXes that via their license hold dev freedom (and corporate freedom without the forced source publication) over user freedom (the purpose of the GPL)?
reply