I’ve only ever used desktop Linux and don’t have server admin experience (unless you count hosting Minecraft servers on my personal machine lol). Currently using Artix and Void for my desktop computers as I’ve grown fond of runit.
I’m going to get a VPS for some personal projects and am at the point of deciding what distro I want to use. While I imagine that systemd is generally the best for servers due to the far more widespread support (therefore it’s better for the stability needs of a server), I have a somewhat high threat model compared to most people so I was wondering if maybe I should use something like runit instead which is much smaller and less vulnerable. Security needs are also the reason why I’m leaning away from using something like Debian, because how outdated the packages are would likely leave me open to vulnerabilities. Correct me if I’m misunderstanding any of that though.
Other than that I’m not sure what considerations there are to make for my server distro. Maybe a more mainstream distro would be more likely to have the software in its repos that I need to host my various projects. On the other hand, I don’t have any experience with, say, Fedora, and it’d probably be a lot easier for me to stick to something I know.
In terms of what I want to do with the VPS, it’ll be more general-purpose and hosting a few different projects. Currently thinking of hosting a Matrix instance, a Mastodon instance, a NextCloud instance, an SMTP server, and a light website, but I’m sure I’ll want to stick more miscellaneous stuff on there too.
So what distro do you use for your server hosting? What things should I consider when picking a distro?
I currently use Ubuntu for all my machines (desktops, laptops, and servers), but I used to use Void Linux on my machines for about 6 years, including on a couple of VPSes. Since you are familiar with Void Linux, you could stick with that and just use Docker/Podman for the individual services such as Matrix, Mastodon, etc.
In regards to Debian, while the packages are somewhat frozen, they do get security updates and backports by the Debian security team:
https://www.debian.org/security/
There is even a LTS version of Debian that will continue backporting security updates:
Good luck!
I always use Rocky Linux or Alma Linux, since I have extensive experience with enterprise Linux and RPM packages. I have Fedora on my main desktop computer. Both Rocky Linux and Alma Linux are rock-solid and are ideal for any kind of workload.
Also, Debian is a good choice if you know how to manage DEB packages and you feel comfortable with APT.
Fedora is a good choice if you want fresh packages and are willing to upgrade your server every 6 months (following the Fedora release cycle).
Rocky Linux and Alma Linux follow a similar slow release cycle of RHEL, wherein you can install your server and not have to worry for years (as long as the packages are updated with dnf update) Debian is also a slow release distribution, which makes it good for servers.
l comfortable with APT.
Apt4RPM was a beautiful thing. I wish we still had that as a common tool, as yum and its incapable 'up’grade dnf are just worse and less capable each time. I shudder at the crayon-eating that’ll go into whatever ‘succeeds’ dnf.
I have been using
dnf
for years, both on desktop and servers, and never had a problem with it. I have the opposite idea, it’s getting better withdnf5
, I think it’s a great tool and upgrades not only the regular packages, but the entire distribution during new releases without any problem. I upgraded my notebook from Fedora 38 to 39 and finally to 40 throughdnf
, no complains.
You don’t wanna use rolling release distros trust me, the whole point of server is automation and less maintenance. I got couple personal servers running, after things i need got setup and all of them running at a decent capacity, i just turn them on and never worry about them. Old package and software doesn’t necessarily mean less security, quite opposite actually, i suggest you take a look at how stable distros distribute their software, such as Debian. For a Debian package becomes stable, it has to go through several stages, experimental, unstable, testing, and finally stable, that’s why their packages are old, and because they are old, they are secure. It might be quite opposite than what you expect.
Mostly i use Debian for my personal servers, some of them are stable and some of them are testing, because of Podman’s new feature Quadlet. Honestly many features of Debian feel really old, like APT’s source list, preferences, and the way to deal with unattended upgrades. It’s kinda hard to get it at first and it’s easy to shoot yourself in the foot, especially many people tend to unintentionally mix and match packages from different suites for new software. But once you get comfortable with it things just work.
As my experience, no matter what distros i use, the worst distros are always those that i don’t understand and in a hurry to put them into production. Just pick one popular server distro and learn the ecosystem, you will find out what distros you like really soon.
Yeah, and key point in why old packages are secure is that versions with serious bugs and vulns don’t get to the next stage, and if a package in stable is finally going to have one, they’ll release a patch for it with just enough changes that fixes the serious issue.
There are some exceptions for very complex software, like Debian maintainers cannot be expected to be able to understand and see through something like Firefox. There they mitigate it by using ESR releases that are maintained by Mozilla.
My server is running headless Debian. I run what I can in a Docker container. My experience has been rock solid.
From what I understand Debian isn’t less secure due to the late updates. If anything it’s the opposite.
Ubuntu LTS. Currently on 22.04.
Ubuntu here as well! Sticking with just the LTS versions tho 😎
Servers are the one thing I’ve generally heard people agree that snaps are good for, so given its history it’s a bit of a strange thing to hear of Ubuntu being a better server distro than desktop distro nowadays.
snaps are like poor man’s containers when it comes to servers… maybe better than having single-use VMs but if you’re wanting to build out real systems in a modern way, i literally haven’t worked with anyone using ubuntu in the last ~10 years
Proxmox so I can run a bunch of other distros.
I use Alpine Linux. It’s exceptionally stable, great for pretty much any device and is best for small VPS with limited space/ram. Nice package manager too, but it is limited in packages.
It works great for me since I only use docker containers, but some things outside docker may require something like Debian instead.
Alpine Linux
Alpine is so great for so many reasons. I don’t like its packaging format, but its composition otherwise is just top-notch. I’m a huge fan when the one nit isn’t an issue. It also avoid cancers like systemd, and it makes it a joy to use.
Downvotes for recommending alpine? This is my baffled face.
If you are already familiar with one package manager, pick a distro that also uses that package manager.
When deciding on the release track, the harder it is to recover the system, the more stable the track should be. Stable does not imply secure.
As you move up through virtualization layers, the less stable the track needs to be, allowing access to more recent features.
Steer clear of distros that pride themselves on using musl. It’s historically slow and incomplete. Don’t buy into the marketing.
Think about IaC. Remote management is a lot more comfortable if you can consider your server ephemeral. You’ll appreciate the work on the day you need to upgrade to a new major release of the distro.
Debian. This is the way (for servers).
NixOS for my homelab that I like to tinker with, Debian as Docker host for the server people actually rely on
I switched mine to NixOS a while ago. It’s got a steep learning curve, but it’s really nice having the entire server config exist in a handful of files.
I use nixos, due to the incredible state management. You know exactly what versions of packages are on your machine, can build all packages from source yourself or download from a binary cache. 100% reproducible. Steep ass learning curve but tbh it’s well worth it. Saves you configuration time and energy in the long run. I’ve stopped distro hopping the implementation is so good. If you are concerned about security you can definitely harden it. There’s a lot more to security then package version. And even then nixos gives you the choice.
Mint on the Desktop, FreeBSD on the server. Amazingly stable.
openSUSE worth a consideration. More frequent releases than debian, but still pretty conservative
@communism
I use alpine, but void is a good option too, for me the host should be minimal and lightweight. At the end I have all on containers