Topics

Hi,

I have been very happy with the performance of D840, and the design is lovely. Unfortunately, the communication with the manufacturer was one of the most dreadful I had ever. Everyone was nice, but I wasted more than three months on waiting and repeating the same questions over and over.
This is very much related to an edge case triggered by the warranty issue I have, but nonetheless, the warranty is effectively useless (at least in my country), which suggests to find some alternative hardware.

But the original need still stands. I would like:

• A more or less blackbox solution, so that OPNSense Business can be installed with modest efforts.
• Capabilities and performance on the level of D840 (Netboard A20, 4 cores, 8Gb): throughput with IDPS and at least one SFP+.
• Customer support that answers emails, not only for enterprise accounts.
• Not loud.
• Preferably, rack mountable.

I know there is a wide range of generic servers, but it is very difficult to compare on paper, and any information about noise is very difficult to find, especially for rack mountable devices: most people don't care how loud anything in the rack is.

Still, any relevant personal experiences will be greatly appreciated.

[Permissions]

I have tried to reach with part of this to Sunnyvalley support, but I reckon that it gets broader and might benefit from a discussion.
Sensei does, indeed, look like a promising initiative. And the idea of offloading the DB out of the firewall is great — I'd love to see it more in OPNSense (partly there are pieces like remote logging here and there, but sparse).
Unfortunately, as of now, the support is very incomplete.
I am going to try and collect (perhaps, to be updated) the list of my own concerns. Any comments and opinions will be appreciated — both from SV and the community.
A disclaimer: Sunnyvalley has no obligations to me, for I did not buy any service (only considering), and the discrepancies listed hereby are not implied by any promises made by the company that I am aware of, thus this is just a conversation.

Permissions

Sensei requires a lot to run. That would make sense for an enterprise that can afford a dedicated ELK installation for the firewall, but for a humble home setup this is burdensome.
The documentation mentions indices (<HOSTUUID>_)?(conn|http|tls|alert|sip|dns)_<date>. Well, this is incorrect. First of all, it is dash, not underscore before date. Second, there are also aliases $1_all and $1_write, which makes sense, but would be nice to say a word in the manual.
Now, this is the role definition that seems to have worked for me:

    offensive_role_name:
      cluster: [ "monitor", "read_ilm", "manage_own_api_key" ]
      indices:
        - names:
      #      - "/(conn|http|tls|alert|dns|sip)(_all|_read|_write)(-[23][0-9][01][0-9][0-9][0-9])?/"
            - "/(conn|http|tls|alert|dns|sip).*/"
          privileges: [ "all" ]

Please note the commended more precise definition: I believe it should work, but I just got tired of guesswork.
Interestingly, when I alter the DB URL in the configuration, I get an error — and I do, even if I give sensei user super permissions. Still, the indices are getting created and rolled over, all right.
But of course, it would be better to use a dedicated service account.

Suggested actions:

• Update the manual to reflect actual naming and to mention aliases.
• Provide a role definition example with least privilege necessary.
• Consider switching to service accounts with tokens instead of username and password.

Index naming

By the same reason of reasonably expected coexistence with other datasets, it is a pain to have a diverse set of names pertaining to a single service without a common prefix.

Possible solutions:

• Provide a configuration option for both free and business versions to prepend something to index and alias names is necessary for the sake of prettiness and tidiness,
• Or just prefix sensei-<version>_

Index properties, replicas number above all

I have noticed that newly created indices have zero replicas.
Moreover, scripts/datastore/retire_elasticsearch.py says in elasticsearch_rollover(index_name):
       set_numberof_replicas = '{"index": {"number_of_replicas": 0}}'
Why? This hurts. I can't even touch the ELK without missing primary shards...

Possible solutions:

• Make replicas number configurable,
• Or make replicas number unset (so that the cluster settings apply),
• Or make index template configurable and/or allow to enable relying on the pre-created index template

Hi,

I'd like to use ES database for other things in addition to Sensei. Which means that everyone shall only have access to own indices. Unfortunately, it is not possible to set proper permissions for Sensei user without knowing the host id (node-uuid is not set in the beginning). Is there a way to retrieve or set to a fixed value somehow?

Th.