Re: Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[Eric Borisch]

I'll echo this; FreeBSD is a fantastic operating system for servers. The
FreeBSD ports system should feel familiar in concept, if different in
execution, to MacPorts users. (Jordan Hubbard was involved in the creation
of both projects.) They likewise have pre-compiled (with default options)
binaries available via 'pkg install ...' or you can go in and adjust (but
will then need to locally build) to customize things; this is done via
'make config' in the desired port's directory, rather than via '+opt1-opt1'
from MacPorts.

But ZFS and boot environments are the absolute bee's knees. The ability to
easily roll back to an earlier installation (from a boot loader menu if
needed, too!) make running a server a much less stressful exercise. And ZFS
as a file system / storage management tool is such a game-changer; it's a
shame Apple decided to go a different way

I still use MacOS for desktop and $DAYJOB work, but FreeBSD is certainly
worth a look for servers / systems storing important data if you're tired
of fighting the constant shifts (in security restrictions, especially)
between versions of MacOS.
  - Eric

On Tue, Nov 29, 2022 at 8:03 AM Marius Schamschula 
wrote:

> After the demise of Mac OS X Server I migrated all server duties to
> FreeBSD.
>
> Currently I’m running FreeBSD 13.1 on three machines: a Dell tower box
> with 8 drive bays at home (apache 2.4, php, mysql and ownCloud), a
> virtualized server at work (nginx, php and mysql), and a 2009 Mac Pro at
> work (for testing updates before applying them to the production machines).
>
> Bonus: zfs with the data redundancy I once used Drobos for.
>
> On Nov 29, 2022, at 5:54 AM, Gerben Wierda via macports-users <
> macports-users@lists.macports.org> wrote:
>
> Over the last years, it has become harder and harder to run Unix services
> on my Macs. I'm using MacPorts for these since the demise of macOS Server
> and they include
>
>- a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot,
>postfix)
>- a name server (nsd, unbound)
>- a web server (nginx, minio)
>
> Before Monterey I was running Mojave and that worked very well. I skipped
> Catalina and went straight for Monterey so I would have a long period of
> 'no large migrations'.
>
> The experience has been horrible. I had to turn off the application layer
> firewall on the server for instance. I had to start some services (MinIO)
> not via launchd but by hand because they would not start properly because
> of permissions when I did (MinIO could not access a fixed mount external
> disk when started from launchd, but had no problem accessing it after
> boot). About 1 to 2 times every day, the system is totally dead, it gets
> stuck apparently because it runs out of sockets or something like that. I
> suspect this is because I am running a public mail server which gets a lot
> of connections and macOS has some sort of resource leak. After maximally
> about an hour, the system gets 'unstuck' and moves on. The 'unstuck'
> started to happen was after 12.5 to 12.5.1 (so an improvement) but it has
> the feel of Apple doing a quick and dirty fix in 12.5.1 for a resource leak
> in 12.5.
>
> Apple has been a rock solid server system for me for many years. Since
> Monterey I consider it to be extremely unreliable and not feasible as a
> server environment for unix-like services.
>
> I suspect that all of this is because Apple is moving to a new security
> mechanism, one more focused on how it is done in iOS too, where things like
> code signing, immutability of parts of the file system, etc. are taking the
> role that traditionally is done by ACL/POSIX-like permissions. Apple's new
> way of doing security is arguably stronger than the old way. But the 'old'
> way of doing things is less and less supported and certainly not a focus
> for Apple to keep operational (which is dumb because by not supporting they
> are flying blind for the kind of resource leak errors I seem to have
> encountered). So, install unbound, and after boot macOS will ask you 'do
> you want unbound to accept incoming connections?'. Yes, of course, but that
> setting doesn't stick. After every next reboot, the same happens. Run the
> same executable side by side on different ports, and ALF gets confused. So,
> not only is the old ACL/POSIX way of permissions no longer properly
> implemented, the new system is not friendly for your own compiled stuff.
>
> The setup has become so unreliable that I do not dare to upgrade my
> current server beyond macOS 12.5.1, afraid as I am that the next update
> will kill even more, rendering my production setup effectively dead.
>
> I can't update my macOS anymore for fear that it kills what I cannot work
> without.
>
> The key weak point in all of this seems to be the macOS Application Level
> Firewall which is iffy and especially iffy when it has to work with
> unsigned executables. But even when it is turned off, lots of other things
> that would normall work fine in a unix-like e

Re: Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[Bill Cole]

On 2022-11-29 at 06:54:50 UTC-0500 (Tue, 29 Nov 2022 12:54:50 +0100)
Gerben Wierda via macports-users 
is rumored to have said:

Over the last years, it has become harder and harder to run Unix 
services on my Macs. I'm using MacPorts for these since the demise of 
macOS Server and they include
a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot, 
postfix)

a name server (nsd, unbound)
a web server (nginx, minio)
Before Monterey I was running Mojave and that worked very well. I 
skipped Catalina and went straight for Monterey so I would have a long 
period of 'no large migrations'.


A brave choice. In my opinion, Mojave is the last macOS fit to act as a 
basic Internet services host. I've used Macs since 1984 and run 
mail+web+DNS servers on my own Macs since 1994. Catalina is the least 
suitable OS in that time. Even "Classic" MacOS 9 did less to thwart 
server usage, and that was when "MacOS Server" was a product with a 
3-digit pricetag. Apple does not want people running servers on Macs. Or 
iPhones, or iPads, or Watches. They DO want to have largely the same OS 
on all 3.


The experience has been horrible. I had to turn off the application 
layer firewall on the server for instance.


The Apple ALF is designed to protect people using their Macs in ways 
Apple approves of. It is possible to have it notionally enabled on 
Catalina and still run sevices, but you basically have to configure all 
real functionality off.


And with Catalina, Apple removed the fine old ipfw packet filter and 
left only a weirdly dysfunctional port of pf that they've jiggered for 
ALF in undocumented ways. It can be made useful, but only after ALF is 
disabled.


I had to start some services (MinIO) not via launchd but by hand 
because they would not start properly because of permissions when I 
did (MinIO could not access a fixed mount external disk when started 
from launchd, but had no problem accessing it after boot).


Yes, startup and disk access has been made more arcane intentionally by 
Apple as a security measure. You cannot expect a normal-ish environment 
on modern macOS until there's a logged-in GUI user.


About 1 to 2 times every day, the system is totally dead, it gets 
stuck apparently because it runs out of sockets or something like 
that. I suspect this is because I am running a public mail server 
which gets a lot of connections and macOS has some sort of resource 
leak. After maximally about an hour, the system gets 'unstuck' and 
moves on. The 'unstuck' started to happen was after 12.5 to 12.5.1 (so 
an improvement) but it has the feel of Apple doing a quick and dirty 
fix in 12.5.1 for a resource leak in 12.5.


Ewww. I don't have any experience with MinIO on macOS, but I have seen 
similar hangs on Catalina machines used only as personal computers that 
are *in part* due to Mach port leakage in many different programs. I 
guess I'm glad to hear that there's a fix of sorts in the latest 
version.


Apple has been a rock solid server system for me for many years. Since 
Monterey I consider it to be extremely unreliable and not feasible as 
a server environment for unix-like services.


I have long held back on moving to new versions of macOS because it has 
been getting more hostile to my usage for some time. Not just server 
duties, but as a workstation for a sysadmin.


I suspect that all of this is because Apple is moving to a new 
security mechanism, one more focused on how it is done in iOS too, 
where things like code signing, immutability of parts of the file 
system, etc. are taking the role that traditionally is done by 
ACL/POSIX-like permissions.


I believe that it's more about supplementation and tightening rather 
than replacement. Traditional POSIX permissions and ACLs have proven to 
be inadequate to protect macOS users from themselves.


As problematic for me has been the churn of basic services. The logging, 
service management, and scheduling subsystems of POSIX-compliant systems 
have long been problematic. It's not accidental that Apple has gone 
through 2 different bespoke init and syslog replacements and a cron 
replacement, while Linux and the BSDs have all had their own forays into 
novel approaches, e.g. systemd, OpenRC, Upstart, Dillon vs. Vixie cron, 
rsyslog, etc. Apple made some of the same basic choices as the bulk of 
the Linux world (or at theast the RedHat/Canonical Cabal,)  and as a 
result we share breakage with the victims of systemd: lost or unusable 
logs, startup anomalies, etc.


Apple's new way of doing security is arguably stronger than the old 
way.


No argument about it: it is MUCH stronger. The ALF is mostly functional 
and unobtrusive for most users, and prevents issues that could be be a 
widespread threat were it not a default part of the OS. As it is, those 
of us who disable it are beneficiaries of its existence because there's 
a whole class of malware behaviors that malware authors don't bother 
trying.


But the 'old' way of doing thi

Re: Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[David Herron]

Docker is your solution.

And, if macOS is so untenable that Docker is not acceptable to you, there
are VM technologies you can use, or you can easily use MiniPC's running
Linux.

MiniPC's like the Intel NUC I have are the same idea as the Mac Mini, but
much much better implemented, and trivially easy to maintain and use.

+ David Herron


On Tue, Nov 29, 2022 at 3:55 AM Gerben Wierda via macports-users <
macports-users@lists.macports.org> wrote:

> Over the last years, it has become harder and harder to run Unix services
> on my Macs. I'm using MacPorts for these since the demise of macOS Server
> and they include
>
>- a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot,
>postfix)
>- a name server (nsd, unbound)
>- a web server (nginx, minio)
>
> Before Monterey I was running Mojave and that worked very well. I skipped
> Catalina and went straight for Monterey so I would have a long period of
> 'no large migrations'.
>
> The experience has been horrible. I had to turn off the application layer
> firewall on the server for instance. I had to start some services (MinIO)
> not via launchd but by hand because they would not start properly because
> of permissions when I did (MinIO could not access a fixed mount external
> disk when started from launchd, but had no problem accessing it after
> boot). About 1 to 2 times every day, the system is totally dead, it gets
> stuck apparently because it runs out of sockets or something like that. I
> suspect this is because I am running a public mail server which gets a lot
> of connections and macOS has some sort of resource leak. After maximally
> about an hour, the system gets 'unstuck' and moves on. The 'unstuck'
> started to happen was after 12.5 to 12.5.1 (so an improvement) but it has
> the feel of Apple doing a quick and dirty fix in 12.5.1 for a resource leak
> in 12.5.
>
> Apple has been a rock solid server system for me for many years. Since
> Monterey I consider it to be extremely unreliable and not feasible as a
> server environment for unix-like services.
>
> I suspect that all of this is because Apple is moving to a new security
> mechanism, one more focused on how it is done in iOS too, where things like
> code signing, immutability of parts of the file system, etc. are taking the
> role that traditionally is done by ACL/POSIX-like permissions. Apple's new
> way of doing security is arguably stronger than the old way. But the 'old'
> way of doing things is less and less supported and certainly not a focus
> for Apple to keep operational (which is dumb because by not supporting they
> are flying blind for the kind of resource leak errors I seem to have
> encountered). So, install unbound, and after boot macOS will ask you 'do
> you want unbound to accept incoming connections?'. Yes, of course, but that
> setting doesn't stick. After every next reboot, the same happens. Run the
> same executable side by side on different ports, and ALF gets confused. So,
> not only is the old ACL/POSIX way of permissions no longer properly
> implemented, the new system is not friendly for your own compiled stuff.
>
> The setup has become so unreliable that I do not dare to upgrade my
> current server beyond macOS 12.5.1, afraid as I am that the next update
> will kill even more, rendering my production setup effectively dead.
>
> I can't update my macOS anymore for fear that it kills what I cannot work
> without.
>
> The key weak point in all of this seems to be the macOS Application Level
> Firewall which is iffy and especially iffy when it has to work with
> unsigned executables. But even when it is turned off, lots of other things
> that would normall work fine in a unix-like environment stop working,
> esppecially when you want to do 'server-like' stuff that requires open
> ports and sockets and such.
>
> Sadly, this means that running a 'macOS Server substitute using MacPorts'
> is no longer feasible for me. I have started to move to a Linux setup and I
> hope my 'macOS Server' (which I have been running since it's start in some
> way or another, and OPENSTEP/NeXTSTEP before that) survives until I have
> that working properly.
>
> Apple turns macOS into a purely consumer appliance, it seems. That is
> their good right, but they also starve attention to the old unixy-way of
> things, leading to weak (certainly not robust) implementations of the
> unix-side. And that might be the eventual death of MacPorts unless it goes
> full in on Apple's new security model, signing and all. And for the time
> being, Apple's own suggestion to move to open source variants of the macOS
> Server stuff they abandoned, is not to be taken seriously as they also are
> not serious about the foundation those open source elements need.
>
> Gerben Wierda (LinkedIn )
> R&A IT Strategy  (main site)
> Book: Chess and the Art of Enterprise Architecture
> 
> Book: Mastering ArchiM

Re: Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[Marius Schamschula]

After the demise of Mac OS X Server I migrated all server duties to FreeBSD.

Currently I’m running FreeBSD 13.1 on three machines: a Dell tower box with 8 
drive bays at home (apache 2.4, php, mysql and ownCloud), a virtualized server 
at work (nginx, php and mysql), and a 2009 Mac Pro at work (for testing updates 
before applying them to the production machines).

Bonus: zfs with the data redundancy I once used Drobos for.

> On Nov 29, 2022, at 5:54 AM, Gerben Wierda via macports-users 
>  wrote:
> 
> Over the last years, it has become harder and harder to run Unix services on 
> my Macs. I'm using MacPorts for these since the demise of macOS Server and 
> they include
> a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot, postfix)
> a name server (nsd, unbound)
> a web server (nginx, minio)
> Before Monterey I was running Mojave and that worked very well. I skipped 
> Catalina and went straight for Monterey so I would have a long period of 'no 
> large migrations'.
> 
> The experience has been horrible. I had to turn off the application layer 
> firewall on the server for instance. I had to start some services (MinIO) not 
> via launchd but by hand because they would not start properly because of 
> permissions when I did (MinIO could not access a fixed mount external disk 
> when started from launchd, but had no problem accessing it after boot). About 
> 1 to 2 times every day, the system is totally dead, it gets stuck apparently 
> because it runs out of sockets or something like that. I suspect this is 
> because I am running a public mail server which gets a lot of connections and 
> macOS has some sort of resource leak. After maximally about an hour, the 
> system gets 'unstuck' and moves on. The 'unstuck' started to happen was after 
> 12.5 to 12.5.1 (so an improvement) but it has the feel of Apple doing a quick 
> and dirty fix in 12.5.1 for a resource leak in 12.5.
> 
> Apple has been a rock solid server system for me for many years. Since 
> Monterey I consider it to be extremely unreliable and not feasible as a 
> server environment for unix-like services.
> 
> I suspect that all of this is because Apple is moving to a new security 
> mechanism, one more focused on how it is done in iOS too, where things like 
> code signing, immutability of parts of the file system, etc. are taking the 
> role that traditionally is done by ACL/POSIX-like permissions. Apple's new 
> way of doing security is arguably stronger than the old way. But the 'old' 
> way of doing things is less and less supported and certainly not a focus for 
> Apple to keep operational (which is dumb because by not supporting they are 
> flying blind for the kind of resource leak errors I seem to have 
> encountered). So, install unbound, and after boot macOS will ask you 'do you 
> want unbound to accept incoming connections?'. Yes, of course, but that 
> setting doesn't stick. After every next reboot, the same happens. Run the 
> same executable side by side on different ports, and ALF gets confused. So, 
> not only is the old ACL/POSIX way of permissions no longer properly 
> implemented, the new system is not friendly for your own compiled stuff.
> 
> The setup has become so unreliable that I do not dare to upgrade my current 
> server beyond macOS 12.5.1, afraid as I am that the next update will kill 
> even more, rendering my production setup effectively dead. 
> 
> I can't update my macOS anymore for fear that it kills what I cannot work 
> without.
> 
> The key weak point in all of this seems to be the macOS Application Level 
> Firewall which is iffy and especially iffy when it has to work with unsigned 
> executables. But even when it is turned off, lots of other things that would 
> normall work fine in a unix-like environment stop working, esppecially when 
> you want to do 'server-like' stuff that requires open ports and sockets and 
> such.
> 
> Sadly, this means that running a 'macOS Server substitute using MacPorts' is 
> no longer feasible for me. I have started to move to a Linux setup and I hope 
> my 'macOS Server' (which I have been running since it's start in some way or 
> another, and OPENSTEP/NeXTSTEP before that) survives until I have that 
> working properly.
> 
> Apple turns macOS into a purely consumer appliance, it seems. That is their 
> good right, but they also starve attention to the old unixy-way of things, 
> leading to weak (certainly not robust) implementations of the unix-side. And 
> that might be the eventual death of MacPorts unless it goes full in on 
> Apple's new security model, signing and all. And for the time being, Apple's 
> own suggestion to move to open source variants of the macOS Server stuff they 
> abandoned, is not to be taken seriously as they also are not serious about 
> the foundation those open source elements need.
> 
> Gerben Wierda (LinkedIn )
> R&A IT Strategy  (main site)
> Book: Chess and th

Re: Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[chilli.names...@gmail.com]

> On Nov 29, 2022, at 06:55, Gerben Wierda via macports-users 
>  wrote:
> 
> Before Monterey I was running Mojave and that worked very well. I skipped 
> Catalina and went straight for Monterey so I would have a long period of 'no 
> large migrations'.

I'm running file servers on Snow Leopard, Mountain Lion and Mojave, and I'm 
seriously considering taking the Mojave machine back to High Sierra, except 
Mojave works well and my need to compile to 32-bit hasn't yet materialized. 
Mojave does eat RAM doing nothing in a way that Mountain Lion simply doesn't, 
and I am curious about High Sierra, so the consideration remains. 

Running a mail server, presumably exposed to the Internet, I suppose you'd have 
deeper security concerns.

Maybe something changed with email that I'm not aware of like the way the Web 
keeps breaking older browsers, but if you upgraded without consideration of 
precisely which security enhancements you needed or which new features you 
could not live with out, then, as it always is, we do it to ourselves. Once 
upon a time, servers were rarely, if ever, upgraded. They stayed up so long the 
new hardware and software passed them by, but they kept working, so they were 
left running.  It was a dark day that macOS users began treating their systems 
like Windows, feverishly updating and upgrading production machines as soon as 
patches were available. But Windows security is scary, and the risk of updates 
and upgrades on Windows less scary than not. I don't think we're there yet with 
macOS. 

But Linux has more in common with Windows than macOS. Linux's first best reason 
for existing was fixing things Microsoft broke. There was no great reason Linux 
took over the datacenter. IMO, it was fanaticism alone that caused this. And 
now Linux has become a larger target, increasing need to keep current and 
patched when facing the Internet, and jeopardizing production with every patch.

If you feel you have to leave macOS, no one would find fault (perhaps fault 
could be found choosing macOS as a server in the first place, though ;) But 
Linux is not required. I'd choose NetBSD over Linux all week long and twice on 
Sundays. FreeBSD is also fantastic, and its ports system far, far, far more 
secure than any Linux repository. If security is your concern, you should also 
consider OpenBSD. With any BSD, you can profoundly relax your update trigger 
finger and take your sweet time in consideration of why you should or should 
not upgrade, and research every angle, then wait a decade if you wish, and then 
decide.

Re: Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[Steven Smith]

FWIW, I’ve had the opposite experience: migration away from macOS Server has provided a path to configure these service to be a lot more performant and reliable than the older and stagnant macOS Server versions.And the reality that most/all of the mobile devices that use these services are iOS-based, it makes sense to just adapt to the latest macOS platform that can also be used to manage these devices.All this stuff is configurable open source, and can just as easily be run on a Linux or BSD. The firewall and permissions approaches are different, especially if one uses SELinux or other locked down options. Running a server with multiple firewall layers requires troubleshooting facility with those layers on the platform. On BSD, that means pf, and on macOS it means pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw if one uses the Application firewall, and some services controlled by MacPorts like clams requires enabling Full Disk Access for the MacPorts process "daemondo" in System Preferences> Security & Privacy> Full Disk Access. And any default macOS configurations that affect functionality or performance can be adjusted using the basic BSD sysctl and/or /etc/sysctl.conf settings.If an application is blocked for some reason on any platform, one has walk back through the blockers: firewall, permissions, disk access, and figure out how to unblock them. Removing a redundant or unnecessary layer can facilitate this. For example, a macOS server running a locked-down pf firewall behind a router behind an ISP may not also need the macOS Application Firewall.My own last step away from macOS Server is the automatically-generated PKI it provided. I swapped this out with a few bash scripts that create much faster EC-based PKI for things like an OpenVPN server, mail, and other services. Again migrating away from macOS Server using configurable open source made things better with a little elbow grease on the configuration side. On Nov 29, 2022, at 06:55, Gerben Wierda via macports-users  wrote:Over the last years, it has become harder and harder to run Unix services on my Macs. I'm using MacPorts for these since the demise of macOS Server and they includea mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot, postfix)a name server (nsd, unbound)a web server (nginx, minio)Before Monterey I was running Mojave and that worked very well. I skipped Catalina and went straight for Monterey so I would have a long period of 'no large migrations'.The experience has been horrible. I had to turn off the application layer firewall on the server for instance. I had to start some services (MinIO) not via launchd but by hand because they would not start properly because of permissions when I did (MinIO could not access a fixed mount external disk when started from launchd, but had no problem accessing it after boot). About 1 to 2 times every day, the system is totally dead, it gets stuck apparently because it runs out of sockets or something like that. I suspect this is because I am running a public mail server which gets a lot of connections and macOS has some sort of resource leak. After maximally about an hour, the system gets 'unstuck' and moves on. The 'unstuck' started to happen was after 12.5 to 12.5.1 (so an improvement) but it has the feel of Apple doing a quick and dirty fix in 12.5.1 for a resource leak in 12.5.Apple has been a rock solid server system for me for many years. Since Monterey I consider it to be extremely unreliable and not feasible as a server environment for unix-like services.I suspect that all of this is because Apple is moving to a new security mechanism, one more focused on how it is done in iOS too, where things like code signing, immutability of parts of the file system, etc. are taking the role that traditionally is done by ACL/POSIX-like permissions. Apple's new way of doing security is arguably stronger than the old way. But the 'old' way of doing things is less and less supported and certainly not a focus for Apple to keep operational (which is dumb because by not supporting they are flying blind for the kind of resource leak errors I seem to have encountered). So, install unbound, and after boot macOS will ask you 'do you want unbound to accept incoming connections?'. Yes, of course, but that setting doesn't stick. After every next reboot, the same happens. Run the same executable side by side on different ports, and ALF gets confused. So, not only is the old ACL/POSIX way of permissions no longer properly implemented, the new system is not friendly for your own compiled stuff.The setup has become so unreliable that I do not dare to upgrade my current server beyond macOS 12.5.1, afraid as I am that the next update will kill even more, rendering my production setup effectively dead. I can't update my macOS anymore for fear that it kills what I cannot work without.The key weak point in all of this seems to be the macOS Application Level Firewall which is iffy and especially iffy w

Running open source 'unix' services via MacPorts on macOS is no longer feasible for me

[Gerben Wierda via macports-users]

Over the last years, it has become harder and harder to run Unix services on my 
Macs. I'm using MacPorts for these since the demise of macOS Server and they 
include
a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot, postfix)
a name server (nsd, unbound)
a web server (nginx, minio)
Before Monterey I was running Mojave and that worked very well. I skipped 
Catalina and went straight for Monterey so I would have a long period of 'no 
large migrations'.

The experience has been horrible. I had to turn off the application layer 
firewall on the server for instance. I had to start some services (MinIO) not 
via launchd but by hand because they would not start properly because of 
permissions when I did (MinIO could not access a fixed mount external disk when 
started from launchd, but had no problem accessing it after boot). About 1 to 2 
times every day, the system is totally dead, it gets stuck apparently because 
it runs out of sockets or something like that. I suspect this is because I am 
running a public mail server which gets a lot of connections and macOS has some 
sort of resource leak. After maximally about an hour, the system gets 'unstuck' 
and moves on. The 'unstuck' started to happen was after 12.5 to 12.5.1 (so an 
improvement) but it has the feel of Apple doing a quick and dirty fix in 12.5.1 
for a resource leak in 12.5.

Apple has been a rock solid server system for me for many years. Since Monterey 
I consider it to be extremely unreliable and not feasible as a server 
environment for unix-like services.

I suspect that all of this is because Apple is moving to a new security 
mechanism, one more focused on how it is done in iOS too, where things like 
code signing, immutability of parts of the file system, etc. are taking the 
role that traditionally is done by ACL/POSIX-like permissions. Apple's new way 
of doing security is arguably stronger than the old way. But the 'old' way of 
doing things is less and less supported and certainly not a focus for Apple to 
keep operational (which is dumb because by not supporting they are flying blind 
for the kind of resource leak errors I seem to have encountered). So, install 
unbound, and after boot macOS will ask you 'do you want unbound to accept 
incoming connections?'. Yes, of course, but that setting doesn't stick. After 
every next reboot, the same happens. Run the same executable side by side on 
different ports, and ALF gets confused. So, not only is the old ACL/POSIX way 
of permissions no longer properly implemented, the new system is not friendly 
for your own compiled stuff.

The setup has become so unreliable that I do not dare to upgrade my current 
server beyond macOS 12.5.1, afraid as I am that the next update will kill even 
more, rendering my production setup effectively dead. 

I can't update my macOS anymore for fear that it kills what I cannot work 
without.

The key weak point in all of this seems to be the macOS Application Level 
Firewall which is iffy and especially iffy when it has to work with unsigned 
executables. But even when it is turned off, lots of other things that would 
normall work fine in a unix-like environment stop working, esppecially when you 
want to do 'server-like' stuff that requires open ports and sockets and such.

Sadly, this means that running a 'macOS Server substitute using MacPorts' is no 
longer feasible for me. I have started to move to a Linux setup and I hope my 
'macOS Server' (which I have been running since it's start in some way or 
another, and OPENSTEP/NeXTSTEP before that) survives until I have that working 
properly.

Apple turns macOS into a purely consumer appliance, it seems. That is their 
good right, but they also starve attention to the old unixy-way of things, 
leading to weak (certainly not robust) implementations of the unix-side. And 
that might be the eventual death of MacPorts unless it goes full in on Apple's 
new security model, signing and all. And for the time being, Apple's own 
suggestion to move to open source variants of the macOS Server stuff they 
abandoned, is not to be taken seriously as they also are not serious about the 
foundation those open source elements need.

Gerben Wierda (LinkedIn )
R&A IT Strategy  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate