After the demise of Mac OS X Server I migrated all server duties to FreeBSD.
Currently I’m running FreeBSD 13.1 on three machines: a Dell tower box with 8 drive bays at home (apache 2.4, php, mysql and ownCloud), a virtualized server at work (nginx, php and mysql), and a 2009 Mac Pro at work (for testing updates before applying them to the production machines). Bonus: zfs with the data redundancy I once used Drobos for. > On Nov 29, 2022, at 5:54 AM, Gerben Wierda via macports-users > <[email protected]> wrote: > > Over the last years, it has become harder and harder to run Unix services on > my Macs. I'm using MacPorts for these since the demise of macOS Server and > they include > a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot, postfix) > a name server (nsd, unbound) > a web server (nginx, minio) > Before Monterey I was running Mojave and that worked very well. I skipped > Catalina and went straight for Monterey so I would have a long period of 'no > large migrations'. > > The experience has been horrible. I had to turn off the application layer > firewall on the server for instance. I had to start some services (MinIO) not > via launchd but by hand because they would not start properly because of > permissions when I did (MinIO could not access a fixed mount external disk > when started from launchd, but had no problem accessing it after boot). About > 1 to 2 times every day, the system is totally dead, it gets stuck apparently > because it runs out of sockets or something like that. I suspect this is > because I am running a public mail server which gets a lot of connections and > macOS has some sort of resource leak. After maximally about an hour, the > system gets 'unstuck' and moves on. The 'unstuck' started to happen was after > 12.5 to 12.5.1 (so an improvement) but it has the feel of Apple doing a quick > and dirty fix in 12.5.1 for a resource leak in 12.5. > > Apple has been a rock solid server system for me for many years. Since > Monterey I consider it to be extremely unreliable and not feasible as a > server environment for unix-like services. > > I suspect that all of this is because Apple is moving to a new security > mechanism, one more focused on how it is done in iOS too, where things like > code signing, immutability of parts of the file system, etc. are taking the > role that traditionally is done by ACL/POSIX-like permissions. Apple's new > way of doing security is arguably stronger than the old way. But the 'old' > way of doing things is less and less supported and certainly not a focus for > Apple to keep operational (which is dumb because by not supporting they are > flying blind for the kind of resource leak errors I seem to have > encountered). So, install unbound, and after boot macOS will ask you 'do you > want unbound to accept incoming connections?'. Yes, of course, but that > setting doesn't stick. After every next reboot, the same happens. Run the > same executable side by side on different ports, and ALF gets confused. So, > not only is the old ACL/POSIX way of permissions no longer properly > implemented, the new system is not friendly for your own compiled stuff. > > The setup has become so unreliable that I do not dare to upgrade my current > server beyond macOS 12.5.1, afraid as I am that the next update will kill > even more, rendering my production setup effectively dead. > > I can't update my macOS anymore for fear that it kills what I cannot work > without. > > The key weak point in all of this seems to be the macOS Application Level > Firewall which is iffy and especially iffy when it has to work with unsigned > executables. But even when it is turned off, lots of other things that would > normall work fine in a unix-like environment stop working, esppecially when > you want to do 'server-like' stuff that requires open ports and sockets and > such. > > Sadly, this means that running a 'macOS Server substitute using MacPorts' is > no longer feasible for me. I have started to move to a Linux setup and I hope > my 'macOS Server' (which I have been running since it's start in some way or > another, and OPENSTEP/NeXTSTEP before that) survives until I have that > working properly. > > Apple turns macOS into a purely consumer appliance, it seems. That is their > good right, but they also starve attention to the old unixy-way of things, > leading to weak (certainly not robust) implementations of the unix-side. And > that might be the eventual death of MacPorts unless it goes full in on > Apple's new security model, signing and all. And for the time being, Apple's > own suggestion to move to open source variants of the macOS Server stuff they > abandoned, is not to be taken seriously as they also are not serious about > the foundation those open source elements need. > > Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) > R&A IT Strategy <https://ea.rna.nl/> (main site) > Book: Chess and the Art of Enterprise Architecture > <https://ea.rna.nl/the-book/> > Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> > Marius -- Marius Schamschula
