Hetzner just announced a new set of cloud servers at good competitive prices.
Let’s try them out and run LXD!
Cloud server information
Here is the lineup of the new cloud servers,
The cheapest is a single-core, 2GB RAM and 20GB disk Virtual Private Server, with practically unlimited traffic. This is good enough to run LXD and the CX21 with double the specs is even better. Note that there is an option for hourly or monthly charging. That is, the maximum cost per month is the monthly price depicted. That price corresponds to 26 days of continuous use of the server. Otherwise, if you have a server running for 26 days, the rest of the month is free.
Up to now, Scaleway had the most affordable prices. However, they reached capacity and you had to keep refreshing their page to find availability to launch a new server. They are expanding now, therefore soon there should be more availability.
Regarding Spectre and Meltdown on Hetzner, the CXnn cloud servers have not been updated yet. They require an update in the Linux kernel of the virtualization platform, and also the Linux kernel of the cloud server (a sudo apt get upgrade -y, then restart).
What distinguishes a cloud server from one company to another, is their server management interface. Let’s get us a new cloud server on Hetzner!
Creating a cloud server on Hetzner
First, we create a new account on Hetzner. The process is quite streamlined. It asks some contact information and payment details. Paypal is supported.
These are the defaults when creating a server. There are two datacenters in Germany, the default OS image is Ubuntu 16.04.3 LTS.
This is the actual pricing for EU customers, with tax included. We also added an SSH key.
The local storage is NVME SSD, while there is also network storage on Ceph. Note that there is storage driver for Ceph in LXD.
UPDATE: The CEPH tab does not show additional options like extra storage, etc. It probably is not enabled yet.
The cloud server was launch quite quickly. All fine.
Here is the menu under the three dots. The console is useful to inspect kernel messages. You can restart the server and the kernel messages will appear at once. You cannot log in in the console unless unless you create an account with a password (after you connected with SSH).
Logging in to the cloud server
Let’s log in with SSH to the cloud server.
Hetzner has a fresh Ubuntu image and there are only five updates available.
They use the stock Ubuntu Linux kernel, which is a nice touch. The Ubuntu kernel package is linux-image-virtual because we are running a virtualized environment. One of the updates was for the kernel, and it was the version relating to https://usn.ubuntu.com/usn/usn-3540-1/
After installing all the updates, we run
shutdown -r now
and the cloud server reboots in a few seconds. Then, we connect again with SSH.
Here is /proc/cpuinfo. The bugs: field is empty per Spectre and Meltdown Update:
Virtual Servers (VQ/VX/CX)
The host systems will be updated to fix the vulnerabilities as soon as possible. The necessary reboots will be announced on Hetzner Status. You may subscribe to be notified.
Since the installed operating system may still be vulnerable, you need to install the updates, which provide the fixes, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.
Hetzner has a local mirror of the Ubuntu repositories.
After the upgrade, we rebooted and got into the upgrade stock Ubuntu Linux kernel for 16.04.3. We could upgrade to the HWE version (4.10) or HWE-edge (4.13). Actually, let’s do that now. First, we get a list of the available kernels,
There is linux-image-virtual at version 4.4.0, which is the version (with all security updates) of the initial Linux kernel for 16.04. Then, there is linux-image-virtual-hwe-16.04, which is the HWE version, with Linux 4.13.0. A few weeks ago it was at version 4.10 but it has now been elevated to 4.13. Therefore, the linux-image-virtual-hwe-16.04-edge is also at Linux 4.13.0. That means, we are good to install linux-image-virtual-hwe-16.04!
sudo apt-get install --install-recommends linux-image-virtual-hwe-16.04
Then, we shutdown and after about ten seconds, we reconnect with SSH.
sudo shutdown -r now
Yeah, running Linux 4.13 (updated stock Ubuntu Linux kernel) on Ubuntu 16.04.
Disabling password authentication in SSH
By default, Hetzner has enabled password authentication in the SSH server.
To verify in practice, we just need to ssh localhost. It just attempts to connect locally to root@localhost, and asks for a password. It should not ask for a password and fail because it did not find the appropriate keys. Note that we do not ever need to ssh localhost. We just use the command to verify in practice the issue about Password Authentication in SSH.
Here is the change in /etc/ssh/sshd_config that will disable the default PasswordAuthentication setting.
Below, we edit /etc/ssh/sshd_config and make the change shown above. Then, reload ssh. By reloading, it does not terminate the existing SSH session. Finally, we try again to ssh localhost, and get the appropriate message Permission denied (publickey).
Setting up LXD
How much free space do we have for LXD to allocated in the storage driver?
Is LXD already available in the Ubuntu image? What about zfsutils-linux?
There are 17GB free out of the 20GB of the cloud server. We can give 15GB to LXD.
LXD is already installed, and is at version 2.0.11 (the updated version for Ubuntu 16.04.3). The backports repository is enabled here, giving us the option to use LXD 2.21 as well.
zfsutils-linux is not installed yet, therefore we install it. This package allows us to use the ZFS storage driver.
sudo apt install zfsutils-linux
Creating a non-root user
We are creating unprivileged containers, therefore we create a non-root user. We set up to be able to SSH to the cloud server using this non-root user (by copying the SSH public key and setting up the permissions accordingly). Finally, we add this new non-root user into the lxd and sudo groups. With the lxd group, the user will be able to manage the LXD containers. With the sudo group, the user will be able to sudo to root.
We initialize LXD by running lxd init.
Accept the defaults as shown in the image. Actually, here we accepted all defaults. When you press Enter, you get the default shown.
When I first ran lxd init, it got stuck. For a long time. It appears there was an issue with creating the network interfaces. I uninstalled (sudo apt remove –purge lxd) and then installed again, and it worked. I did not spent much time investigating, therefore if you get a similar issue, please write a comment below. It should be investigated.
UPDATE: I tried again in a new cloud server. lxd init gets stuck while running the following processes,
1681 pts/0 Sl 0:00 lxd init 1763 ? Sl 0:00 lxd-bridge-proxy --addr=[fe80::1%lxdbr0]:13128 1793 ? Ss 0:00 /bin/sh -e /usr/lib/lxd/profile-config 1798 ? Sl 0:00 lxc profile device get default eth0 nictype --force-local
The part –addr=[fe80::1%lxdbr0] should look like an IPv6 address but does not. It is the notation to show that the address is bound to that interface (here lxdbr0). The % character is the separator between the IP address and the interface name. IPv6 addresses can be written in that shorthand if the octets in between have a zero value. (Thanks Daniel in the comments).
Creating a LXD container
We create a new LXD container with
lxc launch ubuntu:16.04 c1
We run the lxc command to perform the action launch, and launch the image ubuntu:16.04. The new container will be called c1.
Migrating to the LXD snap
The default cloud image for Ubuntu on Hetzner also has snap support pre-installed. Snaps are installation packages, similar to .deb (apt get …) packages. There is a LXD snap package, therefore let’s install it as the last thing to do in this post. Note that there is no hard requirement to use the snap. We already have the full set of versions of LXD available as .deb packages from the repositories. The slight difference is that with snaps is we can get the autogenerated latest package of LXD, as built daily from the source code.
Below we show that we have a container c1 running. Then, we try to install LXD. It does not work without sudo, because we are in a virtualized envrironment (on your Ubuntu desktop you do not need sudo). Then, we run sudo lxd.migrate, which is a utility from the lxd snap to migrate from .deb package to snap package.
If we are ready to proceed, we type yes and the existing containers are migrated to the snap installation of lxd.
The competition for cloud servers (virtual servers) is heating up and we get many good offerings. The distinguishing factors start to emerge and it is important for a provider not to be left behind.
What I like most from the Hetzner cloud servers are,
- They use stock Linux distributions, meaning that they do not add/remove packages from the base image, and the Linux kernel is the one that is provided by distribution.
- The pricing is low, with the option of hourly pay or a maximum monthly pay.
- The management interface is modern and snappy. It is a joy to launch new servers.