Ubuntu Focal Benefits

Announcing: The newest Ubuntu distribution-release is now available for our “Managed Servers”.

New Ubuntu Version 20.04 LTS

On our “managed” systems we use Ubuntu Linux long term support version (LTS), in order to provide a long support cycle and uniform systems over many years.

Newly added: version “Focal” 20.04 LTS, which will receive security patches and bug fixes from Canonical until year 2030.

Our managed services have been undergoing an extensively quality assurance process to ensure that they are ready for the new Ubuntu release.

The following new features on our managed services are available using Ubuntu 20.04 LTS:

Web Services

Apache

The widely-used apache web server is now available in version 2.4.41. Support of TLS version 1.3 is included in Ubuntu Focal.

We provide Apache web server in these combinations:

  • Apache with PHP-FPM (7.4) # older php versions available on request
  • Apache Phusion Passenger (Ruby)
  • Apache Python-WSGI

Nginx

Nginx has received many bug fixes and new features in version 1.18.0.

A short list of the new features:

  • Newly added: We provide nginx together with PHP-FPM, so that you can run your php applications under nginx as well
  • Support for TLS protocol 1.3
  • When access is limited by password, the new auth_delay directive allows to rate limit unsuccessful authentication attempts 
  • The newly-added directives proxy_upload_rate and proxy_download_rate control the stream module traffic rates

We supply nginx in the following combinations:

  • Nginx with PHP-FPM (7.4) # older php versions available on request
  • Nginx with uWSGI Emperor

All bug fixes and changes in nginx version 1.18 are documented on the official site:

https://nginx.org/en/CHANGES-1.18

Varnish

Varnish plays an important role in our setups as load-balancer and cache-booster.

News from Varnish 6.0:

  • Support for Unix Domain Sockets (included in vcl 4.1)
  • HTTP/2 protocol code has been massively rewritten

The overall changelog of varnish version 6 is documented here:

https://varnish-cache.org/docs/6.0/whats-new/changes-6.0.html

Databases

MySQL

MySQL is supplied in version 8. A lot has changed on the codebase since version 5.7 which has been in-use on Ubuntu Bionic.

Important Information: Only php 7.4 compatible applications fully support mysql 8.

Some important  innovations are:

  • A new transaction-oriented Data Dictionary has been integrated
  • “Atomic DDL Statements” are now possible together with the transaction-based Data Dictionary
  • The upgrade-procedure has been directly integrated into the mysql database binaries and is no longer triggered by mysql_upgrade
  • A new “EXPLAIN ANALYZE” statement offers extended information about the execution of SELECT statements in a clear tree structure

Detailed information about all changes in MySQL 8 can be found at:

https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html

MariaDB

As an alternative to Oracle MySQL we offer MariaDB, version 10.3 or 10.4.

Several interesting features include:

  • A new “Storage Aggregate Functions” feature allows complex calculations to be swapped out into functions instead of repeated passing of multiple SQL statements
  • “System Versioned Tables” allow you to store the entire history of a row, from creation to modification to deletion – A very useful function for audit-relevant table contents
  • A new sql_mode called “oracle”, which supports Oracle-compatible sequences and PL/SQL blocks as well as stored routines
  • Independent of the storage engine, column compression is now available, which stores very large columns “compressed” on the file system

Detailed information about all changes can be found on the MariaDB page:

https://mariadb.com/kb/en/changes-improvements-in-mariadb-103/

PostgreSQL

PostgreSQL is provided in version 12.4 which offers many new features including:

  • B-tree index memory usage has been reduced, while the read/write performance increased
  • More powerful queries on tables with several thousand partitions
  • MCV (Multi-column most-common Value) statistics are possible via CREATE STATISTICS 
  • More powerful JSON parse support with the new SQL/JSON Path Language
  • A new special column, “Generated Columns”, which is calculated from existing columns.

If you want to know more about version 12.4, the complete release notes are available here:

https://www.postgresql.org/docs/12/release-12-4.html

MongoDB

A small selection of new features of version 3.6.8:

  • Enhanced lookup with multiple join conditions and sub-queries with variable specifications and pipeline executions.
  • Many new aggregation operators like arrayToObject or dateFromString

The complete release notes are available directly from MongoDB:

https://docs.mongodb.com/manual/release-notes/3.6/

Container

Podman

In the container area we offer Podman version 2.1.1 as a docker alternative.

Podman is a “daemonless” container engine to develop, administrate and run OCI Containers on your Linux system. The containers run in the context of the system user www-data and are therefore completely independent of the root user.

The syntax of podman is mostly identical to Docker, so the following bash alias can be used to run Docker commands via podman:

$ alias docker=podman

In-Memory DBs

Redis

The In-Memory Key-Value Store Redis is available in version 5.0:

  • New Stream Data Type with Consumer Groups
  • Active defragmentation (v2)
  • Many bug fixes and security updates

Memcached

Memcached has only made a minor version change, with mostly bug fixes implemented.

Search-Engine

Elasticsearch

In version 7.6 Elasticsearch has achieved massive performance improvements in date and number sorting. If you need a newer version of Elasticsearch, we can provide it on demand.

More information about the new features in Elasticsearch can be found here: 

https://www.elastic.co/blog/elasticsearch-7-6-0-released

Security

DDoS Protection

If you are interested in a CDN, or want to protect yourself against DDoS attacks, you can benefit from our “Managed DDoS Protection” option.

Wireguard

The new Ubuntu kernel now natively supports Wireguard.

If you want Wireguard as your new VPN tunnel solution, please contact us. We are currently in the process of developing it as a managed service, and we can incorporate your input.

ipsec / openvpn

For secure tunnel connections to the managed server we provide Strongswan and openvpn in the latest versions.

Additional SFTP-Accounts

SFTP/FTP accounts with restricted folder access can be managed via ftpadmin2.

Upgrade to Focal

Are you currently using an older release and interested in an upgrade?

Please contact us for further information.

How do I select a suitable Managed Service Provider?

Managed Service Providers are indispensable service providers and partners for a large number of companies of different sizes. They deal with various issues relating to the provision and operation of IT infrastructure, applications, or cloud services. External service providers relieve their customers of many of the burdens of IT operations and management and ensure that the companies can concentrate fully on their core value creation. Finding and selecting the right Managed Service Provider is no easy task and in Switzerland, numerous providers with different service portfolios are trying to win the attention of their customers.

The following article is intended to provide you with assistance in choosing a suitable Managed Service Provider. We explain what an Managed Service Provider is, how it differs from a CSP (Cloud Service Provider), and what benefits an Managed Service Provider offers. A checklist in the form of a questionnaire provides you with important criteria to consider when selecting a Managed Service Provider.

Definition Managed Service Provider

Managed service providers have been present in the IT environment for several decades. Although their service portfolio has changed over the years, the basic tasks have remained the same: A Managed Service Provider provides their customers with precisely defined, ongoing IT services, however the nature of the services may be very different. Typical IT services of an Managed Service Provider are the operation of servers or networks, the provisioning of storage solutions, software maintenance, and more. For example, the service provider takes care of the monitoring and debugging of the IT systems. Managed Services differ from outsourcing in that they do not involve the outsourcing of the entire IT system, but only services that are precisely defined in terms of size and scope and specific IT divisions. 

Managed Service providers offer services either directly on premises for the customer, via remote management solutions, in their own data centers or in cooperation with other providers. Due to the success of cloud computing, more and more cloud services have been added to the offerings of Managed Service Provider in recent years. In this context, the term Cloud Service Provider (CSP) has become established. 

Differentiation of the Managed Service Provider from the Cloud Service Provider (CSP)

Even if the boundaries are sometimes blurred and some providers tend to call themselves Managed Service Providers or Cloud Service Providers for marketing reasons, the two types of providers can be distinguished in terms of their basic service orientation. The term Managed Service Provider should be seen as a kind of generic term. An Managed Service Provider takes care of the complete range of IT functions and services, from hardware and IT infrastructure to software and the application level. Managed cloud services are usually also part of his product portfolio. A CSP, on the other hand, specializes in managed cloud computing services. They offer cloud-based services such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) from a private or public cloud. Typically, they either operate these cloud services themselves or cooperates with one or more major cloud providers. A CSP is unlikely to take care of tasks such as troubleshooting a defective router, server, or PC at the customer’s premises. Only one Managed Service Provider covers the complete IT portfolio of on-premises, off-premises, and cloud services.

Why do you need a Managed Service Provider and what are concrete Use Cases?

Only a few small and medium-sized enterprises (SMEs) have IT know-how as one of their core competencies. In most cases, the variety of technologies, equipment, and IT solutions is very complex and goes beyond the IT knowledge of SME employees. This is completely normal – if you are not working full-time on a specialist IT topic, you will hardly be able to keep up to date with regard to technology and cybersecurity. Hardly any other industry has so many innovations and developments. 

A Managed Service Provider covers the complete portfolio of IT services, has well-trained specialists, and has the necessary experience to operate devices and applications securely in a highly available manner. The number of possible use cases is almost unlimited. For example, an Managed Service Provider takes over the fully managed operation of virtual or dedicated servers. The customer himself only has to take care of his application and is relieved of all monitoring, maintenance, operation, and fault clearance tasks. The provider reacts at short notice to known security gaps, creates data backups, and carries out data recovery after faults. In addition, the provider maintains replacement hardware available and provides user support. Examples of other typical use cases for an appropriate use of a Managed Service Provider are:

  • Providing and operating a web server or a content management system for your own internet presence
  • Providing and operating a content delivery network for the fast delivery of online content
  • Operation of cloud-native applications in a managed container platform orchestrated via Kubernetes
  • Providing and maintaining storage space for legally compliant archiving of data
  • Providing security services such as firewalls, antivirus and anti-spam functions
  • Managed protection against cyber threats such as DDoS attacks
  • Providing and operating physical or virtual desktop services including user support
  • Providing and operating database services

Checklist: How do I choose a suitable Managed Service Provider?

When choosing a suitable Managed Service Provider, a few criteria should be considered. After all, the service provider is entrusted with services that are important for the operation and handling of business processes. The following checklist provides important questions that must be answered with yes when selecting a suitable Managed Service Provider:

1) Does the Managed Service Provider offer the required services and is the price right?

The service catalogs and prices of Managed Service Providers sometimes differ significantly. Every service provider offers different ranges of services and features for different prices making comparisons sometimes challenging.  It is therefore important to check whether the services to be transferred are included in the provider’s product portfolio. They should be flexibly adaptable to the needs of the company and correspond to the price expectations.

2) Does the Managed Service Provider have a broad, manufacturer-independent portfolio?

In addition to the scope of the services offered, the portfolio’s vendor independence is an important selection criterion. Those who only offer products from one manufacturer or cloud provider are limited in their ability to find optimal, manufacturer-neutral solutions for the individual requirements of their customers. Only vendor-independent providers, i.e. those who also provide DevOps and tailor-made solutions, are able to deliver individual solutions. 

3) Can individual Service Level Agreements (SLAs) be agreed upon?

SLAs define the exact content and scope of services. Important components are for example availability, fault clearance times, or responsibilities. An Managed Service Provider should offer their customers the opportunity to agree with service level agreements that are tailored to individual needs.

4) Does the size and structure fit the company?

Anyone who chooses a globally active Managed Service Provider and whose customers are mainly large corporations, should not be surprised if their medium-sized company does not receive the desired attention from the provider. The size and organizational structure of the provider should fit the size of the company.

5) Does the Managed Service Provider have sufficient know-how and experience?

Managed Service Provider is not a protected phrase. Any provider of IT services can use this term. This makes it all the more important that sufficient know-how, experience, and employees are available to meet the customer’s requirements. Provider references are a good way to get an overview of experience. For example, does the customer support companies that have similar company size, industry orientation, or technological requirements as his own?

6) Are the customer’s personal contacts available?

The service of an Managed Service Provider stands and falls with personal contact. Optimal is personal, holistic support in one’s own national language with fixed, local contact persons. Those who are assigned different phone contacts for each problem and have to explain their concerns in a foreign language first, definitely need more time and have patience. In the ideal case, the contact person knows the customer and the services sold to him exactly and answers all questions already at the first contact.

7) Is fast round-the-clock support guaranteed?

An IT failure can result in immense losses for a company. It is, therefore, all the more important that competent help is available 24×7. An Managed Service Provider can be contacted by his customers around the clock, if desired, with specialist support staff.

8) Is the security of the data guaranteed?

Critical or sensitive personal data is often entrusted to the Managed Service Provider. The customer must trust his provider with regard to data protection. Important legal regulations such as the EU Data Protection Basic Regulation (EU-DSGVO) and national guidelines must be observed. The service provider must be able to provide evidence, for example, of where the data is stored and how it is protected against unauthorized access. Ideally, all data and applications should remain hosted in Switzerland. 

9) Is the Managed Service Provider certified?

Important quality criteria for Managed Service providers are certifications according to common IT standards and norms. These include, for example, ISO 27001 certification for the existence of an information security management system, ISO 27018 for compliance with data protection requirements within a cloud or ISAE 3402 for internal control systems (ICS). 

Conclusion

The above checklist should help you in your search for a suitable Managed Service Provider that meets your individual requirements.

The Nine cloud navigators are the right partner for many Swiss companies. 

They provide a personal contact person who takes over the entire administration, coordination and configuration for his customer. Direct contact to the engineers is a matter of course for the Nine cloud navigators. The service portfolio ranges from the physical provisioning of servers and their networking to the support of the installed software at application level. Continuous monitoring ensures proactive problem management. Suitable cloud solutions such as the Nine Managed GKE (Google Kubernetes Engine) are also available. The comprehensive cloud services enable a smooth relocation of customer workloads to the cloud. 

The Managed Services and Sales team of the Nine cloud navigators are available at any time to answer your questions about Managed Services.

Let’s have some fun with Containers on nine Managed Servers

We quite often receive requests like:

  • “Do you support Docker?”
  • “How can we run Docker on our Managed Server?”
  • “Do you offer Managed Docker?”

These requests kept growing, and unfortunately, we always had to respond:

“No, sorry! It’s not possible at the moment because Docker needs to be run as root. With such a service running as root, we would not be able to maintain our security standards. Containers are only possible on a nine Managed Google Kubernetes Cluster.”

However, starting now(!), we now can respond with:

“HELL YEAH! WE CAN! :D”

Realistically, we should possibly respond a little more professionally. 😉

Nevertheless, now we can deliver you a fully daemonless and rootless container runtime called “Podman“.

You may be thinking right now: “Wait…this isn’t Docker? I wanted Docker

And yes, you’re right! But please, sit tight, keep reading, and I will explain everything to you. What you need to know at this point is, Podman will allow you to deploy your apps more easily, test production deployments more quickly, cut deployment times dramatically, and even allow you to run services that are not (yet) available as managed services.

Sound good? Great, then let us now dive into the more exciting part!

Podman and the difference to Docker

First of all: Podman is nearly functionally identical to Docker. Both solutions are container runtimes and they are able to use the same OCI images. Hence, even the syntax is mostly the same.
The key difference is how they handle the container stack.

Let’s take a step back and look at how Docker works, this will help us to understand what’s so unique about Podman.

Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers.
The Docker daemon also communicates with other daemons to manage Docker services.

This means, when you use commands such as “docker run”, the client sends these commands via API requests to dockerd (the Docker daemon), which carries them out.

 

Now let us compare to Podman and have a look at its architecture: 

The most significant difference is the absence of a centralized daemon. As previously mentioned, Podman is a daemonless Container Runtime, and that’s the really cool part about it!

First (and this one is huge!), containers can be run by any user, with or without root privileges.

Second, no more centralized daemon process. Each container spawns its own child processes and handles the requests by itself (this is called a fork/execution model).

This architecture leads to a much more robust and secure container runtime.

On Docker, if one container has a problem that affects the centralized daemon, it could affect all other containers as well. On Podman, this can not happen.

Furthermore, running a container as root can be a serious security risk.

Depending on the image and services used, some design issues could possibly be exploited to “escape” a container and gain root privileges on the host system. Given this, it is best practice to run all containers as a non-root user.

There is one more big advantage for Podman over Docker: Podman can run containers like Docker but can also run Pods as you find on Kubernetes (Hence, the name “Podman”).

A Pod encapsulates an application’s container (or, in some cases, multiple containers), including storage resources, a unique network identity (IP address), as well as options that control how the container(s) should run.

As an example, take the diagram to the right:

Here we have a Pod that contains two containers and one volume. One container runs a web server while the other container operates a file puller application. 

The file puller extracts some files from the content manager and stores them in the shared volume. The web server accesses the files from the shared volume and delivers the files to the consumer.

Despite the three distinct internal objects, from an external point-of-view this is seen as just one entity as everything runs in the same namespace and has, therefore, only one external IP.   

Source: https://kubernetes.io/docs/concepts/workloads/pods/pod-overview

When should I use Podman?

At this point, some of you may ask: “So… is this the perfect solution for everything or are there any downsides?

Well, if you want to deploy a more complex infrastructure with high availability and great scalability, then you should consider using our Managed GKE (Google Kubernetes Engine).

However, for many use cases, this solution is perfect! Let’s look at a few examples:

  • Are your deployments of a new version always painful, requiring a lot of time, often with a long downtime as well?  

Well, then it’s time to run your application in a container. Simply create an image with all the needed dependencies and spin up your application in this container. When a new version is ready to deploy, just respawn the container with the new version inside it.

  • Perhaps you want to set up a new Website with as little hassle as possible. Ideally, this would be an out-of-the-box solution that just works.

Why not try the famous Ghost CMS or WordPress? There are some nice container images which provide you with all the necessary dependencies and a basic configuration. All you need to do is start a container from this image and you’re good to go.

  • Maybe you are already using Docker locally on your machine to test and develop your new application, and now you want to deploy it in your production environment.

Wouldn’t it be convenient to run it the same way on your server as you already do on your local machine? This way, you have the same versions of all your dependencies everywhere, and you can be sure that everything works as expected. With Podman on your server, you can absolutely do this with minimal effort.

  • Do you still have an old application that requires PHP 5? Podman covers you there too!

Take an image that has the needed PHP version included, or create one yourself, and deploy your application inside the container.

Bonus: Using this method you can reduce the security risk of using an obsolete version because the old PHP version is sealed away from your host system.

Of course, sometimes there are still a few configurations needed here and there to be able to run your application in a container. But for a lot of mainstream applications, there are ready-to-use images already available.

  • Perhaps you are planning to migrate your application to our nine Managed GKE service? Most likely, your application will require some tweaking and refactoring to be able to run perfectly on GKE.

Good news! Podman fits perfectly for this case, it allows you to prepare your applications for a smooth move to GKE. It even uses the same Kubernetes YAML files.

The possibilities with Podman are endless and will help you in many ways.
You will 💙it! 

Why are solutions like Podman only available now?

Containers and Security are a complex topic.

The demand for a rootless container runtime from the community has been growing steadily.

Docker has been adapted to be run as a non-root user, however, it was not designed for this scenario and therefore reduces the usability and functionality. Even then, there are still some security issues left, and as such, this wasn’t a solution we wanted to endorse as a managed service.

Today, many different container runtimes are available, including CRI-O, LXC, rtk and containerd, to name a few of the most popular ones. As you may have noticed, none of these solutions have emerged as the clear leader. Some of them can run rootless, but the extensive functionality or convenience of this easy-to-use design, as Docker provides, has not yet been achieved by any of it.

In mid-2017, a new competitor appeared in the arena – Podman:

Podman wanted to solve the fundamental architecture problems of Docker while offering the same functionalities. Already back then, it seemed to be an interesting concept with great potential. 

This concept was proven correct over the ensuing years, and with the latest releases, Podman is now solidly established in terms of security, functionality, and stability. As a result of this maturity, we are now able to provide you Podman as one of our managed services.

On a side note: Red Hat heavily supports the Podman project. The company released Podman in RHEL 7.6 and even dropped Docker support completely starting with RHEL 8.

Get started

Did we spark your interest? Then let’s start having some fun with containers!

Our new Managed Simple Service “Podman” is available for all managed servers with Ubuntu 18.04 or newer for currently CHF 30.- per month.

Podman can be installed on your system in no-time, simply write us a support ticket and we will get you “containerized”!

If you’d like, you can already have a sneak peek at it with our step-by-step guide for setting up a Ghost CMS in a Podman Pod: https://support.nine.ch/a/4a1j_NF4fOQ

We’ll provide some additional examples of use cases and how to implement them with Podman in the coming weeks.

And as always, if you have any questions about our products, just let us know. We’re happy to help!

Talk to one of our experts

Do you have any questions about our products? Either contact Sales or go directly to your cockpit to see all the possibilities at Nine.