Hetzner Cloud (ARM64)
This page describes the installation process of Gentoo Linux on Hetzner Cloud with a shared virtual ARM processor (IPv6 only).
Hardware
It is better to purchase the cheapest machine (2 cores, 4GB of RAM) as clouds can be upgraded but cannot be downgraded (because SSD cannot be scaled down). A checkbox that allows to keep the disk size appears on an attempt to upgrade the machine. If the disk size remains the same, then the downgrade is acceptable. The cheapest model compiles smoothly (
MAKEOPTS="-j2 -l2").Standard
| Device | Make/model | Status | Vendor ID / Product ID | Kernel driver(s) | Kernel version | Notes |
|---|---|---|---|---|---|---|
| CPU | ARM Neoverse-N1 (QEMU) | Works | N/A | N/A | 6.6.13 | |
| GPU | Red Hat, Inc. Virtio 1.0 GPU | Works | 1af4:1050 | virtio-pci | 6.6.13 | The kernel parameter console=tty1 is required.
|
| SSD | Red Hat, Inc. Virtio 1.0 SCSI | Works | 1af4:1048 | virtio-pci | 6.6.13 | |
| Ethernet | Red Hat, Inc. Virtio 1.0 network device | Works | 1af4:1041 | virtio-pci | 6.6.13 | The kernel parameter net.ifnames=0 is required.
|
| Keyboard | QEMU USB Keyboard | Works | 0627:0001 | hid-generic usbhid | 6.6.13 |
Detailed information
root #lscpuroot #lspci -nnkroot #lsusb -vtroot #lsmodroot #dmidecodeInstallation
There is an installation script for Hetzner Cloud (AMD64, ARM64) provided by M1027 , which might be useful in some circumstances.
Hetzner solutions do not provide the option to boot from a Gentoo installation disk (although it is possible to contact them to add a custom ISO to the menu [1]), but Gentoo can be installed from the Hetzner Rescue System, which is based on Debian, so it doesn't matter which distribution is chosen when creating the server. Before creating the server, it would be wise to configure the firewall. Once the firewall is configured, create an SSH key (or create a GPG key). The created key and firewall should be specified during the server creation process. After creating the server, go to the server menu. Click on the Rescue tab and click on the button labeled Enable rescue & power cycle. Select the previously created SSH key from the list and click on the button labeled Enable rescue & power cycle. The server will reboot into the Rescue System and it will be possible to connect to it via SSH. The installation process is straightforward, Handbook:AMD64 is usable even for ARM virtual machines. The system should be installed on /dev/sda which contains another operating system, so the disk needs to be wiped.
In addition or alternatively to SSH, the VNC console can be used, which is free of charge (not to be confused with the KVM console, which is chargeable).
A swap file can be used instead of a swap partition to save disk space.
Hetzner Cloud Firewall
Hetzner provides a way to configure the Hetzner Could Firewall before server creation. The firewall is free of charge and allows to create a whitelist for incoming traffic, so only allowed IP addresses will be able to connect to the server. This is useful because the server will be protected from attacks until it is ready for public release (or to keep the server completely private). The official guide can be used to configure the firewall.
If the cloud is purchased without IPv4 support, IPv6 addresses must be used in the whitelist.
Server IP address
The Networking tab shows the IPv6 address as 7777:777:7777:7777::/64, which is a bit confusing since the IP address to connect to is 7777:777:7777:7777::1 (click on the button with the three dots to the right of the IP address and click Show Instructions to see it). Hetzner assigns the first address (::1) by default [2].
Usage of GPG keys instead of SSH keys
It is possible to use GnuPG to create and store authentication keys.
Client-side actions
GPG key generation
Generate a master key as described here and an authentication key as described here. The articles describe Ed25519, but RSA-4096 is also acceptable. However, moving past RSA-2048 leads to the inability to use some smartcards and other devices. [3]
To export the public SSH key, execute the following command:
user $gpg --export-ssh-key KEY_IDThe key can be treated as a regular SSH key and can be used in Hetzner web forms.
Configuration of gpg-agent
It is necessary to tell gpg-agent which key to use for SSH. To do so, it is necessary to know the keygrip of the authentication key:
user $gpg --list-keys --with-keygripOnce the keygrip is known, gpg-agent can be informed (replace 7777777777777777777777777777777777777777 with the keygrip):
user $gpg-connect-agent 'KEYATTR 7777777777777777777777777777777777777777 Use-for-ssh: true' /byegpg-agent will add the corresponding line to ~/.gnupg/private-keys-v1.d/<keygrip>.key, so the above actions need to be performed only once.
Next, it is necessary to tell SSH to use gpg-agent and run it if it is not already running:
~/.bashrcexport GPG_TTY=`tty`
export SSH_AUTH_SOCK=`gpgconf --list-dirs agent-ssh-socket`
gpg-connect-agent /bye 1>&- 2>&-
SSH does not inform gpg-aget which /dev/pts/<N> to use [4], so it should be done as below:
~/.ssh/configMatch host * exec "gpg-connect-agent updatestartuptty /bye"
The configuration will take effect after a reboot or after gpg-agent is safely [5] terminated:
user $gpgconf --kill gpg-agentUEFI
The cloud uses UEFI with the following entries:
root #efibootmgrIf the entries are deleted, they will be recreated after a reboot. The cloud supports the creation of new entries (tested with EFI stub).
Kernel
Boot options --->
(root=/dev/sda2 console=tty1 net.ifnames=0) Default kernel command string
Device Drivers --->
[*] PCI support --->
--- PCI support
[*] PCI Express Port Bus support
Device Drivers --->
[*] Virtio drivers --->
--- Virtio drivers
[*] PCI driver for virtio devices
[*] Virtio balloon driver
Device Drivers --->
Graphics support --->
[*] Direct Rendering Manager
[*] Enable legacy fbdev support for your modesetting driver
[*] Virtio GPU driver
[*] Virtio GPU driver modesetting support
Device Drivers --->
SCSI device support --->
[*] SCSI device support
[*] SCSI disk support
[*] SCSI low-level drivers --->
--- SCSI low-level drivers
[*] virtio-scsi support
Device Drivers --->
[*] Networking support --->
--- Network device support
[*] Network core driver support
[*] Virtio network driver
Device Drivers --->
[*] USB support --->
--- USB support
[*] Support for Host-side USB
[*] PCI based USB host interface
[*] xHCI HCD (USB 3.0) support
[*] HID bus support --->
--- HID bus support
-*- HID bus core support
[*] Generic HID driver
[*] USB HID support --->
[*] USB HID transport layer
Device Drivers --->
[*] Real Time Clock --->
[*] EFI RTC
Device Drivers --->
Character devices --->
-*- Hardware Random Number Generator Core support --->
--- Hardware Random Number Generator Core support
[*] VirtIO Random Number Generator support
ACPI (Advanced Configuration and Power Interface) Support --->
--- ACPI (Advanced Configuration and Power Interface) Support
[*] Button
acpid needs to be installed and enabled for the shutdown button to work.
Scripted Kernel Config
Since Hetzner Cloud is run on KVM virtual machines, we can take advantage of some default configurations included in the kernel source tree:
make defconfig make kvm_guest.config for i in \ DRM_NOUVEAU \ DRM_EXYNOS \ DRM_ROCKCHIP \ DRM_RCAR_DU \ DRM_RCAR_DW_HDMI \ DRM_RCAR_USE_LVDS \ DRM_RCAR_USE_MIPI_DSI \ DRM_IMX_DCSS \ DRM_ETNAVIV \ DRM_HISI_HIBMC \ DRM_HISI_KIRIN \ DRM_MEDIATEK \ DRM_MSM \ DRM_MXSFB \ DRM_MESON \ DRM_PL111 \ DRM_TIDSS \ DRM_LEGACY \ DRM_SUN4I \ DRM_TEGRA \ TEGRA_HOST1X \ SCSI_UFSHCD \ FPGA \ RC_CORE \ NEW_LEDS \ CHROME_PLATFORMS \ SURFACE_PLATFORMS \ XEN_BLKDEV_FRONTEND \ LOGO \ SOUND \ SLIMBUS \ SOUNDWIRE \ MEDIA_SUPPORT \ MMC \ BTRFS_FS \ OVERLAY_FS \ NFS_FS \ 9P_FS \ SUSPEND \ HIBERNATION \ BLK_DEV_INITRD \ VIRTUALIZATION \ WLAN \ PINCTRL \ GPIOLIB \ PWM \ IPMI_HANDLER \ CAN \ BT \ WIRELESS \ MD \ RFKILL \ NET_9P \ NFC \ SPI \ SPMI \ HWMON \ THERMAL \ IIO \ USB_NET_DRIVERS \ XEN_NETDEV_FRONTEND \ ETHERNET \ QCOM_IPA \ REGULATOR \ STAGING \ SQUASHFS \ DEBUG_KERNEL \ XEN \ MODULES; do ./scripts/config --disable $i; done ./scripts/config --set-str CMDLINE "init=/usr/lib/systemd/systemd root=/dev/sda3 rootwait rootfstype=ext4" make -j<n> Image mkdir -p /boot/EFI/BOOT cp -a /usr/src/linux/arch/arm64/boot/Image /efi/EFI/BOOT/BOOTAA64.EFI
Adapting init and root
Configuration
SSH
Check the Security Handbook to properly configure the SSH daemon. In the case of IPv6,
ListenAddress requires the address to be surrounded by square brackets: ListenAddress [7777:777:7777:7777::1]:22 (:22 is an optional port).In case
ListenAddress is specified, rc_need="net.eth0" must be added to /etc/conf.d/sshd, otherwise OpenRC will complain about it on boot.A system logger must be installed to track connection attempts.
SSH key
Before leaving the Rescue System, the SSH key should be copied to the installed system:
root #mkdir /mnt/gentoo/root/.sshroot #chmod 700 /mnt/gentoo/root/.sshroot #cp /root/.ssh/authorized_keys /mnt/gentoo/root/.sshroot #chmod 600 /mnt/gentoo/root/.ssh/authorized_keysRemoval of unnecessary SSH host keys
Assuming that only Ed25519 is used, other host keys can be removed:
root #rm -rf /etc/ssh/ssh_host_ecdsa_key*root #rm -rf /etc/ssh/ssh_host_rsa_key*Disabling host key regeneration (OpenRC)
To prevent key regeneration, comment out or delete the following line in /etc/init.d/sshd:
${SSHD_KEYGEN_BINARY} -A || return 2
Restart the SSH daemon:
root #rc-service sshd restartCheck the result from the client machine:
user $ssh-keyscan <SERVER IP>There should only be one host key in the result.
Network (IPv6 only)
Some services (like GitHub [6]) do not support IPv6, and to be able to use such services, it is necessary to use a DNS name server with NAT64 support instead of the official Hetzner name servers. To see a list of such public name servers, see this link.
Install Netifrc:
root #emerge --ask net-misc/netifrcCreate the interface symlink:
root #ln -s /etc/init.d/net.lo /etc/init.d/net.eth0Enable the interface at boot:
root #rc-update add net.eth0 defaultConfigure the static address by specifying:
- address (
7777:777:7777:7777::1) - must be changed to the real IP (found above) - gateway (
fe80::1) - provided by Hetzner - DNS name server(s) (
2a01:4ff:ff00::add:1and2a01:4ff:ff00::add:2) - official Hetzner DNS name servers (third-party name servers can be used instead)
/etc/conf.d/netconfig_eth0="7777:777:7777:7777::1/64"
routes_eth0="default via fe80::1"
dns_servers_eth0="2a01:4ff:ff00::add:1 2a01:4ff:ff00::add:2"
Troubleshooting
f0 respawning
The following message constantly appears in the VNC console:
INIT: Id "f0" respawning too fast: disabled for 5 minutes
To get rid of it, follow these steps.
jitterentropy initialization failure (unsolved issue)
Sometimes jitterentropy initialization fails on boot, but it doesn't cause the kernel to panic, just a failure message in the log. Since the error doesn't always appear, it's most likely a kernel bug. Other ARM machines seem to be affected too. [7] [8]
root #dmesg[ 0.172340] jitterentropy: Initialization failed with host not compliant with requirements: 9
See also
References
- ↑ https://docs.hetzner.com/cloud/servers/faq/#how-can-i-get-a-custom-iso
- ↑ https://docs.hetzner.com/cloud/servers/faq/#why-can-i-not-connect-to-my-ipv6-only-cloud-server
- ↑ https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096
- ↑ https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
- ↑ https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
- ↑ https://github.com/orgs/community/discussions/10539
- ↑ https://patchwork.yoctoproject.org/project/oe-core/patch/20231003122542.764073-1-ross.burton@arm.com/
- ↑ https://lore.kernel.org/linux-arm-kernel/68c6b70a-8d6c-08b5-46ce-243607479d5c@i2se.com/T/