Phase out using the cli (for anything)

I know it is easiest to just hack things from the cli, magento2 also went from a cron executed via the web interface to something on the cli. But this looks to me more like ‘lets do things easy and quick, instead of good’. It is not like the development team of magento 2 is earning any prices on their secure coding.

Especially in regards with the future, running tasks in cloud environment, where you try to maintain a one process per task design. You cannot really expect the availability of a cli. I think with magento2 you have launch separate task for the cron, which is frankly ridiculous for small environments.

Shared environments need to control their resources and they have specifically configured php environments, they do not want some cli process to get around these limitations. Furthermore there is also a security disadvantage with the cli.
Anyway it just does not make sense for the majority of suitecrm installs.

Continuing the discussion from Inbound Email cannot function without the IMAP c-client libraries enabled/compiled with the PHP module.:

What exactly is insecure about the CLI?

How do you propose we run the scheduled jobs without some sort of CLI to set up cron?

I don’t see any particular inferiority in CLI. There is more than one way to invoke PHP scripts, both have their place, both are necessary, and not everything that can be done in one can be done in the other.

What exactly is insecure about the CLI?

simplest put. cli runs as user, that has a superset of privileges as php code being run by the webserver software. That should be enough explanation.

eg. if you configure script timeouts on 30s, this can be bypassed on the cli.

eg. the openbasedir can be bypassed in the cli, and then running as the webserver user, you can access all other php websites on a server.

eg. running as the webserver user, you have access to all resources the webserver user has access to, while the webserver software is limiting/sharing this to the individual websites.

The list goes on and on, which is obvious as it is a different environment.

Then of course there is the situation why would you make it complicated for an application to be secured in two environments. Just stick to the website environment and let the system admin take care of the rest. The admin decides what resources are allocated to a website by the configuration of that site. (period) It is not the job of suitecrm developers to find a way around this, but instead comply with such approach.

How do you propose we run the scheduled jobs without some sort of CLI to set up cron?

external wget/curl request to https://website/cron.php

I don’t see any particular inferiority in CLI. There is more than one way to invoke PHP scripts, both have their place,

I see the php commandline mostly in assistance to install or automate configuration. For instance the magento cli offers configuration, that is really nice, so you can just copy paste your commands with your default settings.

both are necessary,

Only the web access is necessary

and not everything that can be done in one can be done in the other.

You should not even want to look at the cli, mostly it is just the easy way. I can’t imagine what could be done there and not via website execution.
I know why the cli is taken. Because when executing the cron via the website, you have to take into account things like script limited run time. So you have to make sure what in the queue has been accurately processed and what was not.

And as I wrote before, how are you going to run cron in a container? If you make a proper container the cron application is not even available. So you have to create 2 tasks, one running the website and a 2nd that is running the cron.
2 containers for running just because the cron is not implemented via web access.

CLI configuration depends on a text file on the server, and enjoys user permissions as configured by an admin. The same goes for the web server. There are plenty of ways of messing up the security of a web server config (just like the ones you mentioned for messing up CLI configs).

cron can run perfectly well on a container, it’s lightweight, it’s standard Unix stuff. It’s a basic tool really.

Typically I look at things from the point of view of administering our own Linux machines, not shared hostings. It’s a no-brainer to run local jobs from a local service, instead of asking a computer on the Internet to call me up to tell me what I should do in my own server. Why create dependencies on external servers and on network connectivity?

And even on shared hostings, the admins will lock things down (sometimes excessively, but ok, it’s their choice) and you work from within that. They typically provide ways for you to do some basic crontab entries; and the level of user access they give you on the command-line is quite low, you can’t really do much.

We don’t need command-lines and CLI PHP engines because “it’s taking the easy way”. We simply use them because local things should be done locally, and a web server is not designed for local things.

Opening up SuiteCRM cron jobs to the Internet is actually exposing yourself to really easy denial-of-service attacks, and other mischiefs. Every time this issue has come up here in the forums, I always recommend people just get their crontab configurations right, and forget about external cron services. And if your shared hosting doesn’t let you access a command-line (only the cheapest ones have that limitation), that’s a great reason to drop it and choose another one.

I’m not against shared hostings, or even against limited shared hostings, they can be great for many things, and even free ones can be valuable tools. But for SuiteCRM - I don’t advise them at all, and never if they don’t give you SSH access. SuiteCRM is too complex, it’s a full enterprise app with over a million lines of code. It’s also temperamental and buggy, and I need to see things happening under the hood, look for files, grep logs, etc.

CLI configuration depends on a text file on the server, and enjoys user permissions as configured by an admin. The same goes for the web server.

yes, and as I wrote before, they are different, and that is what counts here. There is no need to maintain two environments, just stick to one.

There are plenty of ways of messing up the security of a web server config (just like the ones you mentioned for messing up CLI configs).

how is this relevant

cron can run perfectly well on a container, it’s lightweight, it’s standard Unix stuff. It’s a basic tool really.

Yes for rookies, who do not understand the container/task concept.
The idea of a task running in the container is that the orchestrator monitors it, when it it is down, it will spawn new task in the container environment.
It monitors the main task of your entrypoint.sh file. Rookies just start multiple tasks in a single container, which obviously are not being monitored. Thus if these (your cron) crashes nothing is being noticed as your webapplication is seen to be running. That is why in OC they have designed eg. pod architecture where multiple processes belonging together are deployed and monitored.

So running a local cron requires you to deploy a separate instance of suitecrm, where you monitor the cron. Which is ridiculous if you already have a cron task running for other services.
In the future your suitecrm container image should not even include an OS.

Typically I look at things from the point of view of administering our own Linux machines, not shared hostings.

That is incorrect start, your personal preference is of no relevance. You should check what most clients are using, or what goal for this has been defined. I think I even read somewhere on the suitecrm website that they are proud everything is in php and symphony so it is available to a large audience.
Currently you have to add to the website “SuiteCrm does not run in secured shared environments, if it does run in a shared environment it is probably not secure.”

It’s a no-brainer to run local jobs from a local service, instead of asking a computer on the Internet to call me up to tell me what I should do in my own server. Why create dependencies on external servers and on network connectivity?

This is not really an argument. You can also run in local cron a wget to a site that is running locally. That is most secure.

And even on shared hostings, the admins will lock things down (sometimes excessively, but ok, it’s their choice) and you work from within that. They typically provide ways for you to do some basic crontab entries; and the level of user access they give you on the command-line is quite low, you can’t really do much.

So this is an argument for keeping the cron in the web application.

We don’t need command-lines and CLI PHP engines because “it’s taking the easy way”. We simply use them because local things should be done locally, and a web server is not designed for local things.

What a non-sense, sorry this totally does not make sense. Give me one example.

Opening up SuiteCRM cron jobs to the Internet is actually exposing yourself to really easy denial-of-service attacks, and other mischiefs.

Also not an argument, you can easily secure calls to the cron.php.

Every time this issue has come up here in the forums, I always recommend people just get their crontab configurations right, and forget about external cron services.

You should not be advising on this. I do not think you have a broad understanding on system administration. Constantly I run into web developers that think they need to instruct sysadmins. You should stick with your environment creating the application. If you want advise on security, go ask security expert. Only advise on the area you are an expert in.

And if your shared hosting doesn’t let you access a command-line (only the cheapest ones have that limitation), that’s a great reason to drop it and choose another one.

Do you not start to wonder if you are wrong, when you get such signals?

I’m not against shared hostings, or even against limited shared hostings, they can be great for many things, and even free ones can be valuable tools. But for SuiteCRM - I don’t advise them at all, and never if they don’t give you SSH access.

How many suitecrm users are logging in with ssh to check things? 1%?

SuiteCRM is too complex, it’s a full enterprise app with over a million lines of code.

So why make it more complex with having to secure 2 environments, and not just stick with one? You still did not give a single argument why the cli is necessary for suitecrm.

It’s also temperamental and buggy, and I need to see things happening under the hood, look for files, grep logs, etc.

Even more reason to keep things simple stick to 1 environment not 2. Suitecrm is just a web application, keep things simple, than it is easier to maintain a higher level of security.

A year ago I looked at opencrx, these guys really seem to be experts, at least their database looks best designed from what I have currently seen.
The gui looks shit, but their business model is, I think, selling customization of the interface.
I really do not get why all these opensource projects are just starting from scratch and don’t look to participate on with others.
If these opencrx guys are good in db design, just cooperate and use that as backend.

You start from the idea that CLI is hard to use and to secure, and then elaborate form there. I think the command-line is easy to use and to secure, and is inevitable, so I use it because it’s there. It takes me 2 minutes for every new installation, and then I never have to think about it again.

And I don’t split basic OS stuff into containers so I can monitor it, what a misguided architectural overkill. When you weigh the complexity of using cron (a 44k executable that just works) with deploying extra containers and orchestrating and securing external access… and decide for the latter… ok…

But listen, I really don’t appreciate the tone of your “discussions”. It’s like you know everything, need to learn nothing, and are always 100% right. Cool.

Much of what you write sounds downright ridiculous to me, but then it seems you also find my experience with SuiteCRM irrelevant (and my specializations and training and professional experience, but I digress).

Go ahead and dream up your hyper-containerized SuiteCRM mixed with opencrx. Please fork SuiteCRM as soon as possible and implement all that. I wish you the best of luck.

I’ve seen your kind often in these forums. You come around, tell everybody what should be done, complain and annoy, and then get tired and give up on SuiteCRM. To our great relief.

You start from the idea that CLI is hard to use and to secure, and then elaborate form there. I think the command-line is easy to use and to secure, and is inevitable, so I use it because it’s there. It takes me 2 minutes for every new installation, and then I never have to think about it again.

That is not at all a rational approach, if you are developing an application that is being used by thousands of people.
You state that “things have to be ran locally”, prove this to me. If you state something, you have to prove your point.

And I don’t split basic OS stuff into containers so I can monitor it, what a misguided architectural overkill. When you weigh the complexity of using cron (a 44k executable that just works) with deploying extra containers and orchestrating and securing external access… and decide for the latter… ok…

Just do not go into areas where you do not have experience. I am also not here to educate your. Let’s stick to suitecrm.

But listen, I really don’t appreciate the tone of your “discussions”. It’s like you know everything, need to learn nothing, and are always 100% right. Cool.

That is the case with a lot of developers, if they are criticized they don’t like the tone. Be a professional and learn, or are you the opinion that nobody knows better than you in regards, linux system administration and cloud platforms like kubernettes/mesos?

Much of what you write sounds downright ridiculous to me, but then it seems you also find my experience with SuiteCRM irrelevant (and my specializations and training and professional experience, but I digress).

You are deviating from your specialization, you are entering system administration and cloud infrastructure. Do not go there.
I am constantly asking you to explain me with your suitecrm experience in what case the cli is required, and yet I have had no real example, and mostly emotionally motivated reasoning.

Go ahead and dream up your hyper-containerized SuiteCRM mixed with opencrx. Please fork SuiteCRM as soon as possible and implement all that. I wish you the best of luck.

Try and learn for once. It is this ridiculous own bubble project attitude that makes most projects ‘buggy’. You even wrote it yourself. How long does suitecrm exist? You still have db with duration_hours, duration_minutes fields. It is just amateur.
Ok sure there hasn’t been time to correct this or fix it. But start opening your eyes to criticism about such things, so you can make it better. What is bad in borrowing something that is excellent from another project, compared to creating something buggy yourself.

I’ve seen your kind often in these forums. You come around, tell everybody what should be done, complain and annoy, and then get tired and give up on SuiteCRM. To our great relief.

Yes that is because there is a saying “gegen Dummheit kämpfen Götter selbst vergebens”, people with a brain will give up trying to explain.
You see criticism as a personal attack, that is why you identify it as complaining and annoying.
What I am saying is rock solid, go and find any 30 year expert in linux system administration, selinux, resource management, security etc with an IQ 160. I will argue my case with him/her, I don’t expect your interpretation of “ridiculous” will be shared.

Give me an example where the cli needs to be ran.

Invite some expert to discuss this. I am not here to annoy, I like to use suitecrm in the future, that is why I am here.

What I find annoying are your assumptions. You state what you should be asking.

Am I?

Do I state that? Where? If I don’t state something, I don’t have to prove it.

Don’t I? I thought I did.

What is my specialization? Hint: I have a mini-cloud running in my basement.

I never stated that the CLI needs to be used, I just asked “why not?”. It’s ok if you are not satisfied with my arguments, just do your architecture your own way, and let other people use perfectly sensible options without forcing them to accept your claims.

About inviting experts, go ahead and find them, and bring them here to talk.

You state that “things have to be ran locally”, prove this to me. If you state something, you have to prove your point.
Do I state that? Where? If I don’t state something, I don’t have to prove it.

you wrote “We simply use them because local things should be done locally, and a web server is not designed for local things”

You are deviating from your specialization, you are entering system administration and cloud infrastructure. Do not go there.
What is my specialization? Hint: I have a mini-cloud running in my basement.

Should that say anything.

Give me an example where the cli needs to be ran.
I never stated that the CLI needs to be used, I just asked “why not?”. It’s ok if you are not satisfied with my arguments, just do your architecture your own way, and let other people use perfectly sensible options without forcing them to accept your claims.

Forcing to accept my claims? It feels like I am in a discussion about whether or not the earth is round or not. Facts are facts, but at least it is clear now that there is not really a defined requirement for using the cli, up until now that was not really clear.

To reiterate arguments for running cron in the web application:

• more secure
• better usage and control of assigned resources
• 1 environment to maintain and secure instead of 2 (thus simple, less complicated)
• will fit a lot more suitecrm users hosting
• more efficient container deployment

To reiterate arguments for running cron in the cli:

• perfectly sensible option / local things should be done locally (whatever that means)

Maybe we should allow users to vote on this?

Ok.

Peace. . . . . .

‎‎‎‎‎
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Hi f1outsourcing.

You may want to ask yourself a couple of questions:

A) whether you owe pgr an apology.
He is one of the most prolific provider of advice on this forum. For free.
Yet your tone to him was unfriendly.

You made the beginners level discussion error - of ‘ad hominen attacks’. Such discussion errors make it very hard to have a constructive exchange with anyone -especially with a stranger across the internet. Makes it much less likely that clever people with directly experience , will be motivated to give their unpaid time to respond to such help requests.

B) whether you actually learned anything from the exchange.

It looks to me, on the sidelines, that you made some blank statements; disagreed with pgr when he raised valid challenges but did not defend your statements with new facts.

And then finished by stating again the same statements you started with.

The basic statement you started and ended with - is not something I have seen advocated anywhere else on the web ( not to use local cron, but an external-internet served one).

@DJuser If you knew what you are talking about, you would not write this. Stop whining and first consult an expert.

You can’t even read,
“( not to use local cron, but an external-internet served one).”

This is not even my statement and you clearly missed the point. If from all of the above text this is what you can deduct, you should stay home bake cookies and never enter any discussion (in life), because you are not in anyway contributing to a relevant information exchange.

OK, that is evidence that your default approach (here at least) is ad hominem attacks.
And to ignore substantive questions- like (A) above.

I’ll bow out here.