<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr">FWIW, I’ve had the opposite experience: migration away from macOS Server has provided a path to configure these service to be a lot more performant and reliable than the older and stagnant macOS Server versions.</div><div dir="ltr"><br></div><div dir="ltr">And the reality that most/all of the mobile devices that use these services are iOS-based, it makes sense to just adapt to the latest macOS platform that can also be used to manage these devices.</div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">All this stuff is configurable open source, and can just as easily be run on a Linux or BSD. The firewall and permissions approaches are different, especially if one uses SELinux or other locked down options. Running a server with multiple firewall layers requires troubleshooting facility with those layers on the platform. On BSD, that means pf, and on macOS it means pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw if one uses the Application firewall, and some services controlled by MacPorts like clams requires enabling Full Disk Access for the MacPorts process "daemondo" in System Preferences> Security & Privacy> Full Disk Access. And any default macOS configurations that affect functionality or performance can be adjusted using the basic BSD sysctl and/or /etc/sysctl.conf settings.</div><div dir="ltr"><br></div><div dir="ltr">If an application is blocked for some reason on any platform, one has walk back through the blockers: firewall, permissions, disk access, and figure out how to unblock them. Removing a redundant or unnecessary layer can facilitate this. For example, a macOS server running a locked-down pf firewall behind a router behind an ISP may not also need the macOS Application Firewall.</div><div dir="ltr"><br></div><div dir="ltr">My own last step away from macOS Server is the automatically-generated PKI it provided. I swapped this out with a few bash scripts that create much faster EC-based PKI for things like an OpenVPN server, mail, and other services. Again migrating away from macOS Server using configurable open source made things better with a little elbow grease on the configuration side.</div><div dir="ltr"><br></div><div dir="ltr"> </div><div dir="ltr"><blockquote type="cite">On Nov 29, 2022, at 06:55, Gerben Wierda via macports-users <macports-users@lists.macports.org> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Over the last years, it has become harder and harder to run Unix services on my Macs. I'm using MacPorts for these since the demise of macOS Server and they include</div><div class=""><ul class="MailOutline"><li class="">a mail server (dcc, apache-solr8, clamav-server, rspamd, dovecot, postfix)</li><li class="">a name server (nsd, unbound)</li><li class="">a web server (nginx, minio)</li></ul><div class="">Before Monterey I was running Mojave and that worked very well. I skipped Catalina and went straight for Monterey so I would have a long period of 'no large migrations'.</div></div><div class=""><br class=""></div><div class="">The experience has been horrible. I had to turn off the application layer firewall on the server for instance. I had to start some services (MinIO) not via launchd but by hand because they would not start properly because of permissions when I did (MinIO could not access a fixed mount external disk when started from launchd, but had no problem accessing it after boot). About 1 to 2 times every day, the system is totally dead, it gets stuck apparently because it runs out of sockets or something like that. I suspect this is because I am running a public mail server which gets a lot of connections and macOS has some sort of resource leak. After maximally about an hour, the system gets 'unstuck' and moves on. The 'unstuck' started to happen was after 12.5 to 12.5.1 (so an improvement) but it has the feel of Apple doing a quick and dirty fix in 12.5.1 for a resource leak in 12.5.</div><div class=""><br class=""></div><div class="">Apple has been a rock solid server system for me for many years. Since Monterey I consider it to be extremely unreliable and not feasible as a server environment for unix-like services.</div><div class=""><br class=""></div><div class="">I suspect that all of this is because Apple is moving to a new security mechanism, one more focused on how it is done in iOS too, where things like code signing, immutability of parts of the file system, etc. are taking the role that traditionally is done by ACL/POSIX-like permissions. Apple's new way of doing security is arguably stronger than the old way. But the 'old' way of doing things is less and less supported and certainly not a focus for Apple to keep operational (which is dumb because by not supporting they are flying blind for the kind of resource leak errors I seem to have encountered). So, install unbound, and after boot macOS will ask you 'do you want unbound to accept incoming connections?'. Yes, of course, but that setting doesn't stick. After every next reboot, the same happens. Run the same executable side by side on different ports, and ALF gets confused. So, not only is the old ACL/POSIX way of permissions no longer properly implemented, the new system is not friendly for your own compiled stuff.</div><div class=""><br class=""></div><div class="">The setup has become so unreliable that I do not dare to upgrade my current server beyond macOS 12.5.1, afraid as I am that the next update will kill even more, rendering my production setup effectively dead. </div><div class=""><br class=""></div><div class="">I can't update my macOS anymore for fear that it kills what I cannot work without.</div><div class=""><br class=""></div><div class="">The key weak point in all of this seems to be the macOS Application Level Firewall which is iffy and especially iffy when it has to work with unsigned executables. But even when it is turned off, lots of other things that would normall work fine in a unix-like environment stop working, esppecially when you want to do 'server-like' stuff that requires open ports and sockets and such.</div><div class=""><br class=""></div><div class="">Sadly, this means that running a 'macOS Server substitute using MacPorts' is no longer feasible for me. I have started to move to a Linux setup and I hope my 'macOS Server' (which I have been running since it's start in some way or another, and OPENSTEP/NeXTSTEP before that) survives until I have that working properly.</div><div class=""><br class=""></div><div class="">Apple turns macOS into a purely consumer appliance, it seems. That is their good right, but they also starve attention to the old unixy-way of things, leading to weak (certainly not robust) implementations of the unix-side. And that might be the eventual death of MacPorts unless it goes full in on Apple's new security model, signing and all. And for the time being, Apple's own suggestion to move to open source variants of the macOS Server stuff they abandoned, is not to be taken seriously as they also are not serious about the foundation those open source elements need.</div><br class=""><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><div class="">Gerben Wierda (<a href="https://www.linkedin.com/in/gerbenwierda" class="">LinkedIn</a>)</div><div class=""><a href="https://ea.rna.nl/" class="">R&A IT Strategy</a> (main site)<br class="">Book: <a href="https://ea.rna.nl/the-book/" class="">Chess and the Art of Enterprise Architecture</a><br class="">Book: <a href="https://ea.rna.nl/the-book-edition-iii/" class="">Mastering ArchiMate</a><br class=""></div></div></div></div></div></div></div></div></div>
</div>
<br class=""></div></div></blockquote></div></body></html>