What's coming in 7.5
-
@nebulon said in What's coming in 7.5:
I guess 3 main reasons for that:
- LDAP hands over the password to the app first (!)
- LDAP has no standardized 2fa integration
- OIDC can actually provide single-sign-on
Sure, makes sense. But what about 'don't touch if it work'? Or it's mostly due to first item - clear text password forward?
@potemkin_ai said in What's coming in 7.5:
Sure, makes sense. But what about 'don't touch if it work'? Or it's mostly due to first item - clear text password forward?
Also, the second point 2FA. OIDC also allows some really really nice "modern" looking authentication.
- For example, we can develop a mobile app which lets you login when you tap on your phone (without any password). Which LDAP can never do.
- OAuth/SSO has always been our "dream" . That's how we started and we removed it since apps were not ready for it. With OIDC (which is based off OAuth), we try this again. This time around the big difference is that upstream might be more willing to accept OIDC support/patches. We struggled with this during OAuth given the non-standard nature.
-
G girish referenced this topic on
-
@potemkin_ai said in What's coming in 7.5:
Sure, makes sense. But what about 'don't touch if it work'? Or it's mostly due to first item - clear text password forward?
Also, the second point 2FA. OIDC also allows some really really nice "modern" looking authentication.
- For example, we can develop a mobile app which lets you login when you tap on your phone (without any password). Which LDAP can never do.
- OAuth/SSO has always been our "dream" . That's how we started and we removed it since apps were not ready for it. With OIDC (which is based off OAuth), we try this again. This time around the big difference is that upstream might be more willing to accept OIDC support/patches. We struggled with this during OAuth given the non-standard nature.
-
G girish referenced this topic on
-
@girish, I noticed when using OIDC that on the authorize page there is no possibility to switch the user account. In other words: once logged in with a specific user, one is always logged in with that user, unless one manually figures out the logout endpoint for OIDC.
Would it be possible to add a logout or switch user button the the OIDC authorization page?
-
For 7.5, we just want to focus on fixing some long standing issues instead of adding new features. Also, Cloudron 7.4 added OIDC support, so we are also working on moving apps from LDAP to OIDC slowly (as long as the migration works seamlessly).
These are fairly critical and we haven't paid attention to them in a while:
- (mail) Virtual all directory in dovecot for search
- (mail) Investigate why Spam learning/filtering sometimes does not work effectively.
- (mail) SPF regression adding an extra header and leaking client IP.
- Backup integrity - store size and checksum of backups. Also provide a way to "verify" backup integrity in the remote.
- Backup/restore progress
- SSHFS/CIFS import is not working - 1 and 2
- Add optional flag for turn addon.
- Add check to indicate that Cloudron 7.6 will not support servers without AVX. This is required for MongoDB 6.0
- Upgrade Redis to 7 . This is required for Discourse
- Improve app repair workflow
@girish said in What's coming in 7.5:
For 7.5, we just want to focus on fixing some long standing issues instead of adding new features. Also, Cloudron 7.4 added OIDC support, so we are also working on moving apps from LDAP to OIDC slowly (as long as the migration works seamlessly).
These are fairly critical and we haven't paid attention to them in a while:
- (mail) Virtual all directory in dovecot for search
- (mail) Investigate why Spam learning/filtering sometimes does not work effectively.
- (mail) SPF regression adding an extra header and leaking client IP.
- Backup integrity - store size and checksum of backups. Also provide a way to "verify" backup integrity in the remote.
- Backup/restore progress
- SSHFS/CIFS import is not working - 1 and 2
- Add optional flag for turn addon.
- Add check to indicate that Cloudron 7.6 will not support servers without AVX. This is required for MongoDB 6.0
- Upgrade Redis to 7 . This is required for Discourse
- Improve app repair workflow
This ALL sounds like great and important stuff, really looking forward to this release!
(and the bit about AVX also reminds me that I need to bite the bullet and start the process moving my existing primary Cloudron which is on a Netcup VPS that doesn'st have AVX, and all my other little Cloudrons too, for that matter, onto one big Hetzner Dedicated Server - after buying it and making sure it has a healthy IP before actually making the switch, so I don't suffer from an email blackout like happened last time I moved servers)
-
Just curious, do you know if it just basic AVX that will need to be supported for 7.6, or one of the more detailed AVXs (such as AVX512, or AVX2)?Edit Nvm, for anybody who asks, it's just regular AVX as far as I can tell.Also, for everyone else, just so you know, you can check if your CPU supports it inside of /proc/cpuinfo in the flags section.
-
@girish said in What's coming in 7.5:
For 7.5, we just want to focus on fixing some long standing issues instead of adding new features. Also, Cloudron 7.4 added OIDC support, so we are also working on moving apps from LDAP to OIDC slowly (as long as the migration works seamlessly).
These are fairly critical and we haven't paid attention to them in a while:
- (mail) Virtual all directory in dovecot for search
- (mail) Investigate why Spam learning/filtering sometimes does not work effectively.
- (mail) SPF regression adding an extra header and leaking client IP.
- Backup integrity - store size and checksum of backups. Also provide a way to "verify" backup integrity in the remote.
- Backup/restore progress
- SSHFS/CIFS import is not working - 1 and 2
- Add optional flag for turn addon.
- Add check to indicate that Cloudron 7.6 will not support servers without AVX. This is required for MongoDB 6.0
- Upgrade Redis to 7 . This is required for Discourse
- Improve app repair workflow
This ALL sounds like great and important stuff, really looking forward to this release!
(and the bit about AVX also reminds me that I need to bite the bullet and start the process moving my existing primary Cloudron which is on a Netcup VPS that doesn'st have AVX, and all my other little Cloudrons too, for that matter, onto one big Hetzner Dedicated Server - after buying it and making sure it has a healthy IP before actually making the switch, so I don't suffer from an email blackout like happened last time I moved servers)
@jdaviescoates how do you check if IP is good for e-mails, before attaching a working Cloudron to it?
-
@potemkin_ai maybe these:
-
@girish said in What's coming in 7.5:
For 7.5, we just want to focus on fixing some long standing issues instead of adding new features. Also, Cloudron 7.4 added OIDC support, so we are also working on moving apps from LDAP to OIDC slowly (as long as the migration works seamlessly).
These are fairly critical and we haven't paid attention to them in a while:
- (mail) Virtual all directory in dovecot for search
- (mail) Investigate why Spam learning/filtering sometimes does not work effectively.
- (mail) SPF regression adding an extra header and leaking client IP.
- Backup integrity - store size and checksum of backups. Also provide a way to "verify" backup integrity in the remote.
- Backup/restore progress
- SSHFS/CIFS import is not working - 1 and 2
- Add optional flag for turn addon.
- Add check to indicate that Cloudron 7.6 will not support servers without AVX. This is required for MongoDB 6.0
- Upgrade Redis to 7 . This is required for Discourse
- Improve app repair workflow
This ALL sounds like great and important stuff, really looking forward to this release!
(and the bit about AVX also reminds me that I need to bite the bullet and start the process moving my existing primary Cloudron which is on a Netcup VPS that doesn'st have AVX, and all my other little Cloudrons too, for that matter, onto one big Hetzner Dedicated Server - after buying it and making sure it has a healthy IP before actually making the switch, so I don't suffer from an email blackout like happened last time I moved servers)
@jdaviescoates Where did you see Netcup does not support AVX?
-
@girish, I noticed when using OIDC that on the authorize page there is no possibility to switch the user account. In other words: once logged in with a specific user, one is always logged in with that user, unless one manually figures out the logout endpoint for OIDC.
Would it be possible to add a logout or switch user button the the OIDC authorization page?
-
@jk yes this was mentioned a few times now and will be added with the change to use oidc also for the main dashboard login
-
@nebulon said in What's coming in 7.5:
yes this was mentioned a few times now (...)
I must have missed that then. I'm glad you're aware and are changing this.
-
@girish thank you!
-
Just curious, do you know if it just basic AVX that will need to be supported for 7.6, or one of the more detailed AVXs (such as AVX512, or AVX2)?Edit Nvm, for anybody who asks, it's just regular AVX as far as I can tell.Also, for everyone else, just so you know, you can check if your CPU supports it inside of /proc/cpuinfo in the flags section.
@michaelpope said in What's coming in 7.5:
it's just regular AVX as far as I can tell.
Actually from memory I thinks it AVX2 which the issue as (I think) MongoDB now requires it
Edit: nope, my memory failed me, it is just regular AVX support that's required, it's just that those that do seem to mostly all support AVX2
See this thread https://forum.cloudron.io/post/62899
@avatar1024 said in What's coming in 7.5:
@jdaviescoates Where did you see Netcup does not support AVX?
Some of their servers do, but not all of them support AVX2. Mine doesn't. See the thread linked above for more info.
-
@michaelpope said in What's coming in 7.5:
it's just regular AVX as far as I can tell.
Actually from memory I thinks it AVX2 which the issue as (I think) MongoDB now requires it
Edit: nope, my memory failed me, it is just regular AVX support that's required, it's just that those that do seem to mostly all support AVX2
See this thread https://forum.cloudron.io/post/62899
@avatar1024 said in What's coming in 7.5:
@jdaviescoates Where did you see Netcup does not support AVX?
Some of their servers do, but not all of them support AVX2. Mine doesn't. See the thread linked above for more info.
@jdaviescoates I see thanks. I'm using Netcup RS and not VPS so I'm not affected but it's good to know! I wonder if it could be worth emailing them to ask if they can enable the AVX flag (if the CPU gen they use for they VPS support it of course).
-
@jdaviescoates I see thanks. I'm using Netcup RS and not VPS so I'm not affected but it's good to know! I wonder if it could be worth emailing them to ask if they can enable the AVX flag (if the CPU gen they use for they VPS support it of course).
@avatar1024 said in What's coming in 7.5:
I wonder if it could be worth emailing them to ask if they can enable the AVX flag (if the CPU gen they use for they VPS support it of course).
Can't hurt, I'll try that and see what happens ...
-
For 7.5, we just want to focus on fixing some long standing issues instead of adding new features. Also, Cloudron 7.4 added OIDC support, so we are also working on moving apps from LDAP to OIDC slowly (as long as the migration works seamlessly).
These are fairly critical and we haven't paid attention to them in a while:
- (mail) Virtual all directory in dovecot for search
- (mail) Investigate why Spam learning/filtering sometimes does not work effectively.
- (mail) SPF regression adding an extra header and leaking client IP.
- Backup integrity - store size and checksum of backups. Also provide a way to "verify" backup integrity in the remote.
- Backup/restore progress
- SSHFS/CIFS import is not working - 1 and 2
- Add optional flag for turn addon.
- Add check to indicate that Cloudron 7.6 will not support servers without AVX. This is required for MongoDB 6.0
- Upgrade Redis to 7 . This is required for Discourse
- Improve app repair workflow
@girish said in What's coming in 7.5:
(mail) SPF regression adding an extra header and leaking client IP.
I made a PR upstream for tihs - https://github.com/haraka/haraka-plugin-spf/pull/11
-
What's the best way to get alerts for the release of 7.5? Follow this thread? Or do I have to watch the main channel? Very much looking forward to redis 7for the chatwoot upgrade so trying to set up some monitoring to get alerted as soon as it's available.
-
I have published 7.5.0 as unstable. It should be safe to be update but if you want to be ultra safe , I would wait a couple of days. The release upgrades docker so all apps will go down for a teeny bit.
Most of the features are not implemented yet, just getting this out for redis 7 . Discourse, Chatwoot and a few others depend on this and we didn't want to lag behind on app updates too much.
IMPORTANT: Do not upgrade if you are on Ubuntu 18.04. Turns out latest nodejs builds don't work on Ubuntu 18.04 - https://github.com/nodejs/node/issues/42351 . If you want to upgrade, please update ubuntu first - https://docs.cloudron.io/guides/upgrade-ubuntu-20/ . We will put in a check in 7.5.1 to show a proper error.
(by