Difference between revisions of "Debian/Hetzner"

From NixNet
m (really really finish)
m (add category)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Admin guides]]
 
{{admin guides}}
 
{{admin guides}}
 
{{unfinished}}
 
{{unfinished}}
  
The "regular" distro installation process with Hetzner is a pain in the ass. They have a limited number of [https://en.wikipedia.org/wiki/Rackmount_KVM KVM devices] and loading custom ISO images through that KVM interface is terribly unreliable. Alternatively, you could provide connection details for a SAMBA server and load an ISO that way but this is still too much trouble
+
The "regular" distro installation process with Hetzner is a pain in the ass. They have a limited number of [[wikipedia:Rackmount_KVM|KVM devices]] so you have to open a support ticket requesting one. The options are "ASAP" and by appointment. In my experience, "ASAP" has been anywhere from 10 minutes to an hour and "by appointment" starts the next day. When they attach the KVM, you get an email with a URL, username, and password. After opening the URL, you'll see which device they've given you. One is modern and can be used perfectly fine in a browser. The other I've had is archaic and can only be interacted with through a Java applet that crashed on both my Arch installation and in an Ubuntu 20.04 VM. I was unimpressed.
  
Thankfully, they have a much simpler process for setting things up.
+
If you want to install a custom operating system aside from their two-click deployments, option one is to upload an ISO through the KVM. This has no progress or status indicator until the upload is finished; at which point there will be a small notification in the window that disappears after a short period of time. It's very easy to miss. Option two is providing credentials for a SAMBA server containing the image you'd like installed. Both of these options are terribly slow.
 +
 
 +
Thankfully, they have a much simpler way to set things up.
  
 
{{Note|'''Note:''' if you're used to working with systems from other providers, this may not be the same process. Read carefully.|warn}}
 
{{Note|'''Note:''' if you're used to working with systems from other providers, this may not be the same process. Read carefully.|warn}}
Line 63: Line 66:
 
After it's complete, type <code>reboot</code>, press <kbd>Enter</kbd>, wait a couple minutes then SSH back in with the same password.
 
After it's complete, type <code>reboot</code>, press <kbd>Enter</kbd>, wait a couple minutes then SSH back in with the same password.
  
{{Note|You may see an error about the remote host's identification having been modified. This is expected. Simply remove the offending line from <code>~/.ssh/known_hosts</code>.|note}}
+
{{Note|You may see an error about the remote host's identification having been modified. This is expected. Simply remove the offending line from <code>~/.ssh/known_hosts</code>.|info}}
  
 
= The Actual System =
 
= The Actual System =
 +
 +
*install sudo
 +
*add users
 +
**adduser user
 +
*add user to sudo group
 +
**usermod -aG sudo user
 +
*copy ssh keys and rc file
 +
*disable xforwarding
 +
*disable password login
 +
*disable root login
 +
*restart sshd
 +
*remove root password
 +
**passwd -d root
 +
*review SSH logs to ensure no one brute-forced a session during setup
 +
  
 
= Troubleshooting =
 
= Troubleshooting =
 
== Rebuilding a RAID array ==
 
== Rebuilding a RAID array ==

Latest revision as of 21:22, 16 September 2021

This article is part of a series of guides that describe NixNet's setup in excruciating detail. If you would like to follow them, please start at the Infrastructure page.
Caution: this guide is not finished yet; following it may leave you with an unuseable machine. To be notified of updates, please create an account and add it to your watchlist.

The "regular" distro installation process with Hetzner is a pain in the ass. They have a limited number of KVM devices so you have to open a support ticket requesting one. The options are "ASAP" and by appointment. In my experience, "ASAP" has been anywhere from 10 minutes to an hour and "by appointment" starts the next day. When they attach the KVM, you get an email with a URL, username, and password. After opening the URL, you'll see which device they've given you. One is modern and can be used perfectly fine in a browser. The other I've had is archaic and can only be interacted with through a Java applet that crashed on both my Arch installation and in an Ubuntu 20.04 VM. I was unimpressed.

If you want to install a custom operating system aside from their two-click deployments, option one is to upload an ISO through the KVM. This has no progress or status indicator until the upload is finished; at which point there will be a small notification in the window that disappears after a short period of time. It's very easy to miss. Option two is providing credentials for a SAMBA server containing the image you'd like installed. Both of these options are terribly slow.

Thankfully, they have a much simpler way to set things up.

Note: if you're used to working with systems from other providers, this may not be the same process. Read carefully.

The Rescue System

Hetzner's Rescue System is the simplest way I've found to get Debian set up; as part of that system, they provide a script called installimage which automates almost everything, including software RAID.

To activate it, go to The Robot, click Server, expand the one you're setting up, click the Rescue tab, and activate the rescue system for your architecture (likely 64-bit). Take note of the generated password at the bottom. Go to the Reset tab, select the power button, send the signal, wait a few seconds, select the power button again, and send the signal again. When your server finishes booting, you'll be able to connect to the rescue system.

SSH into the root account and enter the generated password. Don't lose it. It will be needed later. You should now see something like this.

-------------------------------------------------------------------

  Welcome to the Hetzner Rescue System.

  This Rescue System is based on Debian 10 (buster) with a custom
  kernel. You can install software as in a normal system.

  To install a new operating system from one of our prebuilt
  images, run 'installimage' and follow the instructions.

  More information at https://docs.hetzner.com/

-------------------------------------------------------------------

Rescue System up since 2021-01-23 05:18 +01:00

Hardware data:

   CPU1: AMD Ryzen 7 3700X 8-Core Processor (Cores 16)
   Memory:  64258 MB
   Disk /dev/nvme0n1: 1024 GB (=> 953 GiB) 
   Disk /dev/nvme1n1: 1024 GB (=> 953 GiB) 
   Total capacity 1907 GiB with 2 Disks

Network data:
   eth0  LINK: yes
         MAC:  a8:a1:59:3b:18:4a
         IP:   135.181.177.46
         IPv6: 2a01:4f9:3a:1f11::2/64
         Intel(R) Gigabit Ethernet Network Driver

root@rescue ~ #

From here, you should just be able to run installimage. A menu will appear in your terminal asking what distro you want; for this guide, choose Debian then go with the latest minimal version. Read the info screen, press OK, take a look at the configuration file. If you have 2 or more disks, I recommend leaving software RAID enabled and leaving it at RAID 1.

RAID IS NOT A BACKUP! It simply ensures that, should one drive fail, the server will continue running. You should be taking your own, automated backups. When a drive fails, contact Hetzner support, have them replace it as soon as possible, then rebuild your array.

Set your hostname according to what's on the main Debian page and work out your partitions. The defaults are perfectly suitable but, if you want a different setup, this is the place to make that change.

The IMAGE line is what determines the OS that will be installed. By default, it's set to what you entered at the initial screen, the minimal version of the latest Debian release.

Glance over the file once or twice more to ensure everything is satisfactory. If it is, hit F2, press Enter, hit F10, and confirm the changes. All that's left is to watch everything get set up!

After it's complete, type reboot, press Enter, wait a couple minutes then SSH back in with the same password.

You may see an error about the remote host's identification having been modified. This is expected. Simply remove the offending line from ~/.ssh/known_hosts.

The Actual System

  • install sudo
  • add users
    • adduser user
  • add user to sudo group
    • usermod -aG sudo user
  • copy ssh keys and rc file
  • disable xforwarding
  • disable password login
  • disable root login
  • restart sshd
  • remove root password
    • passwd -d root
  • review SSH logs to ensure no one brute-forced a session during setup


Troubleshooting

Rebuilding a RAID array