A closer look at the new Hetzner cloud servers, by running LXD

Hetzner just announced a new set of cloud servers at good competitive prices.

Let’s try them out and run LXD!

Cloud server information

Here is the lineup of the new cloud servers,

The cheapest is a single-core, 2GB RAM and 20GB disk Virtual Private Server, with practically unlimited traffic. This is good enough to run LXD and the CX21 with double the specs is even better. Note that there is an option for hourly or monthly charging.  That is, the maximum cost per month is the monthly price depicted. That price corresponds to 26 days of continuous use of the server. Otherwise, if you have a server running for 26 days, the rest of the month is free.

Up to now, Scaleway had the most affordable prices. However, they reached capacity and you had to keep refreshing their page to find availability to launch a new server. They are expanding now, therefore soon there should be more availability.

Regarding Spectre and Meltdown on Hetzner, the CXnn cloud servers have not been updated yet. They require an update in the Linux kernel of the virtualization platform, and also the Linux kernel of the cloud server (a sudo apt get upgrade -y, then restart).

What distinguishes a cloud server from one company to another, is their server management interface. Let’s get us a new cloud server on Hetzner!

Creating a cloud server on Hetzner

First, we create a new account on Hetzner. The process is quite streamlined. It asks some contact information and payment details. Paypal is supported.

These are the defaults when creating a server. There are two datacenters in Germany, the default OS image is Ubuntu 16.04.3 LTS.

This is the actual pricing for EU customers, with tax included. We also added an SSH key.

The local storage is NVME SSD, while there is also network storage on Ceph. Note that there is storage driver for Ceph in LXD.

UPDATE: The CEPH tab does not show additional options like extra storage, etc. It probably is not enabled yet.

The cloud server was launch quite quickly. All fine.

Here is the menu under the three dots. The console is useful to inspect kernel messages. You can restart the server and the kernel messages will appear at once.  You cannot log in in the console unless unless you create an account with a password (after you connected with SSH).

Logging in to the cloud server

Let’s log in with SSH to the cloud server.

Hetzner has a fresh Ubuntu image and there are only five updates available.

They use the stock Ubuntu Linux kernel, which is a nice touch. The Ubuntu kernel package is linux-image-virtual because we are running a virtualized environment. One of the updates was for the kernel, and it was the version relating to https://usn.ubuntu.com/usn/usn-3540-1/

After installing all the updates, we run

shutdown -r now

and the cloud server reboots in a few seconds. Then, we connect again with SSH.

Here is /proc/cpuinfo. The bugs: field is empty per Spectre and Meltdown Update:

Virtual Servers (VQ/VX/CX)

The host systems will be updated to fix the vulnerabilities as soon as possible. The necessary reboots will be announced on Hetzner Status. You may subscribe to be notified.

Since the installed operating system may still be vulnerable, you need to install the updates, which provide the fixes, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.

Hetzner has a local mirror of the Ubuntu repositories.

After the upgrade, we rebooted and got into the upgrade stock Ubuntu Linux kernel for 16.04.3. We could upgrade to the HWE version (4.10) or HWE-edge (4.13). Actually, let’s do that now. First, we get a list of the available kernels,

There is linux-image-virtual at version 4.4.0, which is the version (with all security updates) of the initial Linux kernel for 16.04. Then, there is linux-image-virtual-hwe-16.04, which is the HWE version, with Linux 4.13.0. A few weeks ago it was at version 4.10 but it has now been elevated to 4.13. Therefore, the linux-image-virtual-hwe-16.04-edge is also at Linux 4.13.0. That means, we are good to install linux-image-virtual-hwe-16.04!

sudo apt-get install --install-recommends linux-image-virtual-hwe-16.04

Then, we shutdown and after about ten seconds, we reconnect with SSH.

sudo shutdown -r now

Yeah, running Linux 4.13 (updated stock Ubuntu Linux kernel) on Ubuntu 16.04.

Disabling password authentication in SSH

By default, Hetzner has enabled password authentication in the SSH server.

To verify in practice, we just need to ssh localhost. It just attempts to connect locally to root@localhost, and asks for a password. It should not ask for a password and fail because it did not find the appropriate keys. Note that we do not ever need to ssh localhost. We just use the command to verify in practice the issue about Password Authentication in SSH.

Here is the change in /etc/ssh/sshd_config that will disable the default PasswordAuthentication setting.

Below, we edit /etc/ssh/sshd_config and make the change shown above. Then, reload ssh. By reloading, it does not terminate the existing SSH session. Finally, we try again to ssh localhost, and get the appropriate message Permission denied (publickey).

Setting up LXD

How much free space do we have for LXD to allocated in the storage driver?

Is LXD already available in the Ubuntu image?  What about zfsutils-linux? zfslinux-utils

There are 17GB free out of the 20GB of the cloud server. We can give 15GB to LXD.

LXD is already installed, and is at version 2.0.11 (the updated version for Ubuntu 16.04.3). The backports repository is enabled here, giving us the option to use LXD 2.21 as well.

zfsutils-linux is not installed yet, therefore we install it. This package allows us to use the ZFS storage driver.

sudo apt install zfsutils-linux

Creating a non-root user

We are creating unprivileged containers, therefore we create a non-root user. We set up to be able to SSH to the cloud server using this non-root user (by copying the SSH public key and setting up the permissions accordingly). Finally, we add this new non-root user into the lxd and sudo groups. With the lxd group, the user will be able to manage the LXD containers. With the sudo group, the user will be able to sudo to root.

Initializing LXD

We initialize LXD by running lxd init.

Accept the defaults as shown in the image. Actually, here we accepted all defaults. When you press Enter, you get the default shown.

When I first ran lxd init, it got stuck. For a long time. It appears there was an issue with creating the network interfaces. I uninstalled (sudo apt remove –purge lxd) and then installed again, and it worked. I did not spent much time investigating, therefore if you get a similar issue, please write a comment below. It should be investigated.

UPDATE:  I tried again in a new cloud server. lxd init gets stuck while running the following processes,

 1681 pts/0 Sl 0:00 lxd init
 1763 ?     Sl 0:00 lxd-bridge-proxy --addr=[fe80::1%lxdbr0]:13128
 1793 ?     Ss 0:00 /bin/sh -e /usr/lib/lxd/profile-config
 1798 ?     Sl 0:00 lxc profile device get default eth0 nictype --force-local

The part –addr=[fe80::1%lxdbr0] should look like an IPv6 address but does not. It is the notation to show that the address is bound to that interface (here lxdbr0). The % character is the separator between the IP address and the interface name. IPv6 addresses can be written in that shorthand if the octets in between have a zero value. (Thanks Daniel in the comments).

Creating a LXD container

We create a new LXD container with

lxc launch ubuntu:16.04 c1

We run the lxc command to perform the action launch, and launch the image ubuntu:16.04. The new container will be called c1.

Migrating to the LXD snap

The default cloud image for Ubuntu on Hetzner also has snap support pre-installed. Snaps are installation packages, similar to .deb (apt get …) packages. There is a LXD snap package, therefore let’s install it as the last thing to do in this post. Note that there is no hard requirement to use the snap. We already have the full set of versions of LXD available as .deb packages from the repositories. The slight difference is that with snaps is we can get the autogenerated latest package of LXD, as built daily from the source code.

Below we show that we have a container c1 running. Then, we try to install LXD. It does not work without sudo, because we are in a virtualized envrironment (on your Ubuntu desktop you do not need sudo). Then, we run sudo lxd.migrate, which is a utility from the lxd snap to migrate from .deb package to snap package.

If we are ready to proceed, we type yes and the existing containers are migrated to the snap installation of lxd.

Conclusion

The competition for cloud servers (virtual servers) is heating up and we get many good offerings. The distinguishing factors start to emerge and it is important for a provider not to be left behind.

What I like most from the Hetzner cloud servers are,

  1. They use stock Linux distributions, meaning that they do not add/remove packages from the base image, and the Linux kernel is the one that is provided by distribution.
  2. The pricing is low, with the option of hourly pay or a maximum monthly pay.
  3. The management interface is modern and snappy. It is a joy to launch new servers.

Permanent link to this article: https://blog.simos.info/a-closer-look-at-the-new-hetzner-cloud-servers-by-running-lxd/

15 comments

1 ping

Skip to comment form

    • brian mullan on January 23, 2018 at 15:41
    • Reply

    Simos

    I already was aware of Hertzner but never looked to see if they hadUS Data centers also.. I will have to check.

    Digital Ocean just last week dropped their prices & added more instance choices. But they do not have a pay by the hour option.

    Thanks for the nice write-up on this provider.

    1. Thanks Brian!

      The entry-level cloud server by Digitalocean is still at $5, and the recent change was to increase the memory from 512MB to 1GB, and the storage from 20GB to 25GB.

      Digitalocean still offers by the hour billing, https://www.digitalocean.com/pricing/

      In addition, Digitalocean makes a good effort in producing good documentation.

    • bmullan on January 23, 2018 at 17:13
    • Reply

    mispelled… Hetzner sorry

    • bmullan on January 23, 2018 at 18:30
    • Reply

    Simos…

    Spotted mistake.

    You mention installing zfslinux-utils

    I think that’s supposed to be zfsutils-linux

    brian

    1. Thanks for spotting it! Fixed.

  1. thanks for your explanation but could you please explain about centos 7 and about creation of step four ssh key because i facing problem with ssh key, please guide me>. thanks

    1. There are many good guides on the Internet that explain how to generate the SSH key-pair. If I were to write a guide on this, I do not think I would be able to add anything more.

  2. > [fe80::1%lxdbr0]

    fe80::1 is the default gateway address on an interface named lxdbr0.

    1. Thanks, I have updated the post to reflect this.

  3. It seems that they block multiple concurrent http requests? I am just trying them and doing some load testing but within a few minutes, I am unable to access the site. It shows ERR_CONNECTION_REFUSED

    Have you tried with over 300 connections? It’s just blocked.

    1. I have not experienced an issue with throttling the number of concurrent connections.
      Do you get that with LXD or is it a general question?

  4. First, I have a Hetzner CX21 Cloud Server running Ubuntu 18.04.2 LTS. I came across your article as I was looking into how to set it up properly. I saw you were setting up LXD (which is new to me – as are most things Linux – but I’m learning as I go). I’m not looking to get into anything such as LXD or Docker at this point – maybe someday in the future after my skills in Linux are more honed/refined.

    In your post, I followed your directions & steps all the way through where you installed the Linux virtual image (of course, running 18.04, I made the appropriate changes). I noticed that you were logged in as the root user. I then typed the “shutdown -r now” command, but mine came back to a root user prompt (where I had been all along), whereas yours came back to an ubuntu user prompt.

    Why did that occur? Do I need to add a non-root user to mine with sudo privileges in the Terminal (as in “adduser mark sudo”) and then login as “mark” with my associated password after I add myself as a sudo-capable user?

    Second, I’ve never used an SSH key/certificate; I know Let’s Encrypt provides those for free, but how would I “integrate” it into the cloud server? And, do I need to have Let’s Encrypt generate one for each device I use to access said cloud server? I’ve got an iPhone XR, a Raspberry Pi 3 B+, a Dell desktoprunning Linux Mint 19.1, & a Windows 10 Home tablet/laptop hybrid PC.

    My plan for this server is to install the OnlyOffice Document Server so that I can edit my MS Office documents/spreadsheets within Nextcloud. I do have a separate Nextcloud Hosting account (NX20) with Hetzner. Currently, it’s just awaiting my massive uploading of the files my family and I have amassed over 18 years (after checking for duplications & relevancy).

    Thanks.

  5. This is a repost, as I’ve not received any responses yet. I’d really like some help; I’m in new territory here!

    First, I have a Hetzner CX21 Cloud Server running Ubuntu 18.04.2 LTS. I came across your article as I was looking into how to set it up properly. I saw you were setting up LXD (which is new to me – as are most things Linux – but I’m learning as I go). I’m not looking to get into anything such as LXD or Docker at this point – maybe someday in the future after my skills in Linux are more honed/refined.

    In your post, I followed your directions & steps all the way through where you installed the Linux virtual image (of course, running 18.04, I made the appropriate changes). I noticed that you were logged in as the root user. I then typed the “shutdown -r now” command, but mine came back to a root user prompt (where I had been all along), whereas yours came back to an ubuntu user prompt.

    Why did that occur? Do I need to add a non-root user to mine with sudo privileges in the Terminal (as in “adduser mark sudo”) and then login as “mark” with my associated password after I add myself as a sudo-capable user?

    Second, I’ve never used an SSH key/certificate; I know Let’s Encrypt provides those for free, but how would I “integrate” it into the cloud server? And, do I need to have Let’s Encrypt generate one for each device I use to access said cloud server? I’ve got an iPhone XR, a Raspberry Pi 3 B+, a Dell desktoprunning Linux Mint 19.1, & a Windows 10 Home tablet/laptop hybrid PC.

    My plan for this server is to install the OnlyOffice Document Server so that I can edit my MS Office documents/spreadsheets within Nextcloud. I do have a separate Nextcloud Hosting account (NX20) with Hetzner. Currently, it’s just awaiting my massive uploading of the files my family and I have amassed over 18 years (after checking for duplications & relevancy).

    Thanks.

    • Janez on March 9, 2021 at 01:44
    • Reply

    Got a question regarding hetzner cloud servers. From what I’ve read here, their cloud servers are KVM based, so we get real full root access? Also any experience with email limits? I’m running phplist with 3000+ emails and I send emails once per month to all members.

    1. Hetzner’s virtual private servers are KVM-based. As such, you get root access.

      Technically you can send as much email as you want. But you need to learn about Hetzner’s email policy and what they deem acceptable use. It is more of a policy issue than a technical issue.

  1. […] A closer look at the new Hetzner cloud servers, by running LXD […]

Leave a Reply to navid110Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.