Hetzner Cloud (ARM64)
This page describes the installation process of Gentoo Linux on Hetzner Cloud with a shared virtual ARM processor (IPv6 only).
Hardware
It is better to purchase the cheapest machine (2 cores, 4GB of RAM) as clouds can be upgraded but cannot be downgraded (because SSD cannot be scaled down). A checkbox that allows to keep the disk size appears on an attempt to upgrade the machine. If the disk size remains the same, then the downgrade is acceptable. The cheapest model compiles smoothly (
MAKEOPTS="-j2 -l2").Standard
| Device | Make/model | Status | Vendor ID / Product ID | Kernel driver(s) | Kernel version | Notes |
|---|---|---|---|---|---|---|
| CPU | ARM Neoverse-N1 (QEMU) | Works | N/A | N/A | 6.6.13 | |
| GPU | Red Hat, Inc. Virtio 1.0 GPU | Works | 1af4:1050 | virtio-pci | 6.6.13 | The kernel parameter console=tty1 is required.
|
| SSD | Red Hat, Inc. Virtio 1.0 SCSI | Works | 1af4:1048 | virtio-pci | 6.6.13 | |
| Ethernet | Red Hat, Inc. Virtio 1.0 network device | Works | 1af4:1041 | virtio-pci | 6.6.13 | The kernel parameter net.ifnames=0 is required.
|
| Keyboard | QEMU USB Keyboard | Works | 0627:0001 | hid-generic usbhid | 6.6.13 |
Detailed information
root #lscpuArchitecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Vendor ID: ARM
BIOS Vendor ID: QEMU
Model name: Neoverse-N1
BIOS Model name: NotSpecified CPU @ 2.0GHz
BIOS CPU family: 1
Model: 1
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 1
Stepping: r3p1
BogoMIPS: 50.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp ssbs
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0,1
Vulnerabilities:
Gather data sampling: Not affected
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Retbleed: Not affected
Spec rstack overflow: Not affected
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1: Mitigation; __user pointer sanitization
Spectre v2: Mitigation; CSV2, BHB
Srbds: Not affected
Tsx async abort: Not affected
root #lspci -nnk00:00.0 Host bridge [0600]: Red Hat, Inc. QEMU PCIe Host bridge [1b36:0008] Subsystem: Red Hat, Inc. QEMU PCIe Host bridge [1af4:1100] 00:01.0 Display controller [0380]: Red Hat, Inc. Virtio 1.0 GPU [1af4:1050] (rev 01) Subsystem: Red Hat, Inc. Virtio 1.0 GPU [1af4:1100] Kernel driver in use: virtio-pci Kernel modules: virtio_pci 00:02.0 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.1 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.2 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.3 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.4 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.5 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.6 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:02.7 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:03.0 PCI bridge [0604]: Red Hat, Inc. QEMU PCIe Root port [1b36:000c] Subsystem: Red Hat, Inc. QEMU PCIe Root port [1b36:0000] Kernel driver in use: pcieport 00:04.0 Serial controller [0700]: Red Hat, Inc. QEMU PCI 16550A Adapter [1b36:0002] (rev 01) Subsystem: Red Hat, Inc. QEMU Virtual Machine [1af4:1100] Kernel driver in use: serial 01:00.0 Ethernet controller [0200]: Red Hat, Inc. Virtio 1.0 network device [1af4:1041] (rev 01) Subsystem: Red Hat, Inc. Virtio 1.0 network device [1af4:1100] Kernel driver in use: virtio-pci Kernel modules: virtio_pci 02:00.0 USB controller [0c03]: Red Hat, Inc. QEMU XHCI Host Controller [1b36:000d] (rev 01) Subsystem: Red Hat, Inc. QEMU XHCI Host Controller [1af4:1100] Kernel driver in use: xhci_hcd 03:00.0 Communication controller [0780]: Red Hat, Inc. Virtio 1.0 console [1af4:1043] (rev 01) Subsystem: Red Hat, Inc. Virtio 1.0 console [1af4:1100] Kernel driver in use: virtio-pci Kernel modules: virtio_pci 04:00.0 Unclassified device [00ff]: Red Hat, Inc. Virtio 1.0 memory balloon [1af4:1045] (rev 01) Subsystem: Red Hat, Inc. Virtio 1.0 memory balloon [1af4:1100] Kernel driver in use: virtio-pci Kernel modules: virtio_pci 05:00.0 Unclassified device [00ff]: Red Hat, Inc. Virtio 1.0 RNG [1af4:1044] (rev 01) Subsystem: Red Hat, Inc. Virtio 1.0 RNG [1af4:1100] Kernel driver in use: virtio-pci Kernel modules: virtio_pci 06:00.0 SCSI storage controller [0100]: Red Hat, Inc. Virtio 1.0 SCSI [1af4:1048] (rev 01) Subsystem: Red Hat, Inc. Virtio 1.0 SCSI [1af4:1100] Kernel driver in use: virtio-pci Kernel modules: virtio_pci
root #lsusb -vt/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 5000M
ID 1d6b:0003 Linux Foundation 3.0 root hub
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 480M
ID 1d6b:0002 Linux Foundation 2.0 root hub
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 480M
ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
|__ Port 2: Dev 3, If 0, Class=Human Interface Device, Driver=usbhid, 480M
ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
root #lsmodModule Size Used by ipmi_ssif 24576 0 ipmi_devintf 20480 0 ipmi_msghandler 49152 2 ipmi_devintf,ipmi_ssif sd_mod 45056 0 t10_pi 16384 1 sd_mod crc64_rocksoft_generic 16384 1 sr_mod 24576 0 cdrom 32768 1 sr_mod crc64_rocksoft 16384 1 t10_pi crc64 20480 2 crc64_rocksoft,crc64_rocksoft_generic sg 32768 0 sha2_ce 16384 0 sha256_arm64 24576 1 sha2_ce virtio_scsi 20480 0 virtio_balloon 20480 0 virtio_rng 16384 0 virtio_console 28672 0 button 16384 0 evdev 20480 2 binfmt_misc 20480 1 jc42 16384 0 regmap_i2c 16384 1 jc42 fuse 106496 1 dm_mod 106496 0 configfs 36864 1 efivarfs 20480 1 qemu_fw_cfg 16384 0 ip_tables 24576 0 x_tables 28672 1 ip_tables autofs4 28672 2 virtio_net 45056 0 net_failover 20480 1 virtio_net failover 16384 1 net_failover virtio_pci 24576 0 virtio_pci_legacy_dev 16384 1 virtio_pci virtio_pci_modern_dev 16384 1 virtio_pci virtio_mmio 16384 0
root #dmidecode# dmidecode 3.4 Getting SMBIOS data from sysfs. SMBIOS 3.0.0 present. Table at 0x135EC0000. Handle 0x0000, DMI type 0, 24 bytes BIOS Information Vendor: Hetzner Version: 20171111 Release Date: 11/11/2017 Address: 0xE8000 Runtime Size: 96 kB ROM Size: 64 kB Characteristics: BIOS characteristics not supported Targeted content distribution is supported UEFI is supported System is a virtual machine BIOS Revision: 1.0 Handle 0x0100, DMI type 1, 27 bytes System Information Manufacturer: Hetzner Product Name: vServer Version: 20171111 Serial Number: 43607703 UUID: 5316b371-b196-4a2e-9bcd-3488e8f3e8a7 Wake-up Type: Power Switch SKU Number: TM Family: Hetzner_vServer Handle 0x0200, DMI type 2, 15 bytes Base Board Information Manufacturer: KVM Product Name: KVM Virtual Machine Version: virt-6.2 Serial Number: Not Specified Asset Tag: Not Specified Features: Board is a hosting board Location In Chassis: Not Specified Chassis Handle: 0x0300 Type: Motherboard Contained Object Handles: 0 Handle 0x0300, DMI type 3, 22 bytes Chassis Information Manufacturer: QEMU Type: Other Lock: Not Present Version: NotSpecified Serial Number: Not Specified Asset Tag: Not Specified Boot-up State: Safe Power Supply State: Safe Thermal State: Safe Security Status: Unknown OEM Information: 0x00000000 Height: Unspecified Number Of Power Cords: Unspecified Contained Elements: 0 SKU Number: Not Specified Handle 0x0400, DMI type 4, 42 bytes Processor Information Socket Designation: CPU 0 Type: Central Processor Family: Other Manufacturer: QEMU ID: 00 00 00 00 00 00 00 00 Version: NotSpecified Voltage: Unknown External Clock: Unknown Max Speed: 2000 MHz Current Speed: 2000 MHz Status: Populated, Enabled Upgrade: Other L1 Cache Handle: Not Provided L2 Cache Handle: Not Provided L3 Cache Handle: Not Provided Serial Number: Not Specified Asset Tag: Not Specified Part Number: Not Specified Core Count: 2 Core Enabled: 2 Thread Count: 1 Characteristics: None Handle 0x1000, DMI type 16, 23 bytes Physical Memory Array Location: Other Use: System Memory Error Correction Type: Multi-bit ECC Maximum Capacity: 4000 MB Error Information Handle: Not Provided Number Of Devices: 1 Handle 0x1100, DMI type 17, 40 bytes Memory Device Array Handle: 0x1000 Error Information Handle: Not Provided Total Width: Unknown Data Width: Unknown Size: 4000 MB Form Factor: DIMM Set: None Locator: DIMM 0 Bank Locator: Not Specified Type: RAM Type Detail: Other Speed: Unknown Manufacturer: QEMU Serial Number: Not Specified Asset Tag: Not Specified Part Number: Not Specified Rank: Unknown Configured Memory Speed: Unknown Minimum Voltage: Unknown Maximum Voltage: Unknown Configured Voltage: Unknown Handle 0x2000, DMI type 32, 11 bytes System Boot Information Status: No errors detected Handle 0xFEFF, DMI type 127, 4 bytes End Of Table
Installation
There is an installation script for Hetzner Cloud (AMD64, ARM64) provided by M1027 , which might be useful in some circumstances.
Hetzner solutions do not provide the option to boot from a Gentoo installation disk (although it is possible to contact them to add a custom ISO to the menu [1]), but Gentoo can be installed from the Hetzner Rescue System, which is based on Debian, so it doesn't matter which distribution is chosen when creating the server. Before creating the server, it would be wise to configure the firewall. Once the firewall is configured, create an SSH key (or create a GPG key). The created key and firewall should be specified during the server creation process. After creating the server, go to the server menu. Click on the Rescue tab and click on the button labeled Enable rescue & power cycle. Select the previously created SSH key from the list and click on the button labeled Enable rescue & power cycle. The server will reboot into the Rescue System and it will be possible to connect to it via SSH. The installation process is straightforward, Handbook:AMD64 is usable even for ARM virtual machines. The system should be installed on /dev/sda which contains another operating system, so the disk needs to be wiped.
In addition or alternatively to SSH, the VNC console can be used, which is free of charge (not to be confused with the KVM console, which is chargeable).
A swap file can be used instead of a swap partition to save disk space.
Hetzner Cloud Firewall
Hetzner provides a way to configure the Hetzner Could Firewall before server creation. The firewall is free of charge and allows to create a whitelist for incoming traffic, so only allowed IP addresses will be able to connect to the server. This is useful because the server will be protected from attacks until it is ready for public release (or to keep the server completely private). The official guide can be used to configure the firewall.
If the cloud is purchased without IPv4 support, IPv6 addresses must be used in the whitelist.
Server IP address
The Networking tab shows the IPv6 address as 7777:777:7777:7777::/64, which is a bit confusing since the IP address to connect to is 7777:777:7777:7777::1 (click on the button with the three dots to the right of the IP address and click Show Instructions to see it). Hetzner assigns the first address (::1) by default [2].
Usage of GPG keys instead of SSH keys
It is possible to use GnuPG to create and store authentication keys.
Client-side actions
GPG key generation
Generate a master key as described here and an authentication key as described here. The articles describe Ed25519, but RSA-4096 is also acceptable. However, moving past RSA-2048 leads to the inability to use some smartcards and other devices. [3]
To export the public SSH key, execute the following command:
user $gpg --export-ssh-key KEY_IDThe key can be treated as a regular SSH key and can be used in Hetzner web forms.
Configuration of gpg-agent
It is necessary to tell gpg-agent which key to use for SSH. To do so, it is necessary to know the keygrip of the authentication key:
user $gpg --list-keys --with-keygripOnce the keygrip is known, gpg-agent can be informed (replace 7777777777777777777777777777777777777777 with the keygrip):
user $gpg-connect-agent 'KEYATTR 7777777777777777777777777777777777777777 Use-for-ssh: true' /byegpg-agent will add the corresponding line to ~/.gnupg/private-keys-v1.d/<keygrip>.key, so the above actions need to be performed only once.
Next, it is necessary to tell SSH to use gpg-agent and run it if it is not already running:
~/.bashrcexport GPG_TTY=`tty`
export SSH_AUTH_SOCK=`gpgconf --list-dirs agent-ssh-socket`
gpg-connect-agent /bye 1>&- 2>&-
SSH does not inform gpg-aget which /dev/pts/<N> to use [4], so it should be done as below:
~/.ssh/configMatch host * exec "gpg-connect-agent updatestartuptty /bye"
The configuration will take effect after a reboot or after gpg-agent is safely [5] terminated:
user $gpgconf --kill gpg-agentUEFI
The cloud uses UEFI with the following entries:
root #efibootmgrBootCurrent: 0004 BootOrder: 0004,0005,0006,0007,0003,0001,0000,0002,0008 Boot0000* UiApp Boot0001* UEFI QEMU QEMU CD-ROM Boot0002* UEFI Misc Device Boot0003* UEFI QEMU QEMU HARDDISK Boot0004* UEFI PXEv4 (MAC:96000308A34D) Boot0005* UEFI PXEv6 (MAC:96000308A34D) Boot0006* UEFI HTTPv4 (MAC:96000308A34D) Boot0007* UEFI HTTPv6 (MAC:96000308A34D) Boot0008* EFI Internal Shell
If the entries are deleted, they will be recreated after a reboot. The cloud supports the creation of new entries (tested with EFI stub).
Kernel
Boot options --->
(root=/dev/sda2 console=tty1 net.ifnames=0) Default kernel command string
Device Drivers --->
[*] PCI support --->
--- PCI support
[*] PCI Express Port Bus support
Device Drivers --->
[*] Virtio drivers --->
--- Virtio drivers
[*] PCI driver for virtio devices
[*] Virtio balloon driver
Device Drivers --->
Graphics support --->
[*] Direct Rendering Manager
[*] Enable legacy fbdev support for your modesetting driver
[*] Virtio GPU driver
[*] Virtio GPU driver modesetting support
Device Drivers --->
SCSI device support --->
[*] SCSI device support
[*] SCSI disk support
[*] SCSI low-level drivers --->
--- SCSI low-level drivers
[*] virtio-scsi support
Device Drivers --->
[*] Networking support --->
--- Network device support
[*] Network core driver support
[*] Virtio network driver
Device Drivers --->
[*] USB support --->
--- USB support
[*] Support for Host-side USB
[*] PCI based USB host interface
[*] xHCI HCD (USB 3.0) support
[*] HID bus support --->
--- HID bus support
-*- HID bus core support
[*] Generic HID driver
[*] USB HID support --->
[*] USB HID transport layer
Device Drivers --->
[*] Real Time Clock --->
[*] EFI RTC
Device Drivers --->
Character devices --->
-*- Hardware Random Number Generator Core support --->
--- Hardware Random Number Generator Core support
[*] VirtIO Random Number Generator support
ACPI (Advanced Configuration and Power Interface) Support --->
--- ACPI (Advanced Configuration and Power Interface) Support
[*] Button
acpid needs to be installed and enabled for the shutdown button to work.
Scripted Kernel Config
Since Hetzner Cloud is run on KVM virtual machines, we can take advantage of some default configurations included in the kernel source tree:
make defconfig make kvm_guest.config for i in \ DRM_NOUVEAU \ DRM_EXYNOS \ DRM_ROCKCHIP \ DRM_RCAR_DU \ DRM_RCAR_DW_HDMI \ DRM_RCAR_USE_LVDS \ DRM_RCAR_USE_MIPI_DSI \ DRM_IMX_DCSS \ DRM_ETNAVIV \ DRM_HISI_HIBMC \ DRM_HISI_KIRIN \ DRM_MEDIATEK \ DRM_MSM \ DRM_MXSFB \ DRM_MESON \ DRM_PL111 \ DRM_TIDSS \ DRM_LEGACY \ DRM_SUN4I \ DRM_TEGRA \ TEGRA_HOST1X \ SCSI_UFSHCD \ FPGA \ RC_CORE \ NEW_LEDS \ CHROME_PLATFORMS \ SURFACE_PLATFORMS \ XEN_BLKDEV_FRONTEND \ LOGO \ SOUND \ SLIMBUS \ SOUNDWIRE \ MEDIA_SUPPORT \ MMC \ BTRFS_FS \ OVERLAY_FS \ NFS_FS \ 9P_FS \ SUSPEND \ HIBERNATION \ BLK_DEV_INITRD \ VIRTUALIZATION \ WLAN \ PINCTRL \ GPIOLIB \ PWM \ IPMI_HANDLER \ CAN \ BT \ WIRELESS \ MD \ RFKILL \ NET_9P \ NFC \ SPI \ SPMI \ HWMON \ THERMAL \ IIO \ USB_NET_DRIVERS \ XEN_NETDEV_FRONTEND \ ETHERNET \ QCOM_IPA \ REGULATOR \ STAGING \ SQUASHFS \ DEBUG_KERNEL \ XEN \ MODULES; do ./scripts/config --disable $i; done ./scripts/config --set-str CMDLINE "init=/usr/lib/systemd/systemd root=/dev/sda3 rootwait rootfstype=ext4" make -j<n> Image mkdir -p /boot/EFI/BOOT cp -a /usr/src/linux/arch/arm64/boot/Image /efi/EFI/BOOT/BOOTAA64.EFI
Adapting init and root
Configuration
SSH
Check the Security Handbook to properly configure the SSH daemon. In the case of IPv6,
ListenAddress requires the address to be surrounded by square brackets: ListenAddress [7777:777:7777:7777::1]:22 (:22 is an optional port).In case
ListenAddress is specified, rc_need="net.eth0" must be added to /etc/conf.d/sshd, otherwise OpenRC will complain about it on boot.A system logger must be installed to track connection attempts.
SSH key
Before leaving the Rescue System, the SSH key should be copied to the installed system:
root #mkdir /mnt/gentoo/root/.sshroot #chmod 700 /mnt/gentoo/root/.sshroot #cp /root/.ssh/authorized_keys /mnt/gentoo/root/.sshroot #chmod 600 /mnt/gentoo/root/.ssh/authorized_keysRemoval of unnecessary SSH host keys
Assuming that only Ed25519 is used, other host keys can be removed:
root #rm -rf /etc/ssh/ssh_host_ecdsa_key*root #rm -rf /etc/ssh/ssh_host_rsa_key*Disabling host key regeneration (OpenRC)
To prevent key regeneration, comment out or delete the following line in /etc/init.d/sshd:
${SSHD_KEYGEN_BINARY} -A || return 2
Restart the SSH daemon:
root #rc-service sshd restartCheck the result from the client machine:
user $ssh-keyscan <SERVER IP>There should only be one host key in the result.
Network (IPv6 only)
Some services (like GitHub [6]) do not support IPv6, and to be able to use such services, it is necessary to use a DNS name server with NAT64 support instead of the official Hetzner name servers. To see a list of such public name servers, see this link.
Install Netifrc:
root #emerge --ask net-misc/netifrcCreate the interface symlink:
root #ln -s /etc/init.d/net.lo /etc/init.d/net.eth0Enable the interface at boot:
root #rc-update add net.eth0 defaultConfigure the static address by specifying:
- address (
7777:777:7777:7777::1) - must be changed to the real IP (found above) - gateway (
fe80::1) - provided by Hetzner - DNS name server(s) (
2a01:4ff:ff00::add:1and2a01:4ff:ff00::add:2) - official Hetzner DNS name servers (third-party name servers can be used instead)
/etc/conf.d/netconfig_eth0="7777:777:7777:7777::1/64"
routes_eth0="default via fe80::1"
dns_servers_eth0="2a01:4ff:ff00::add:1 2a01:4ff:ff00::add:2"
Troubleshooting
f0 respawning
The following message constantly appears in the VNC console:
INIT: Id "f0" respawning too fast: disabled for 5 minutes
To get rid of it, follow these steps.
jitterentropy initialization failure (unsolved issue)
Sometimes jitterentropy initialization fails on boot, but it doesn't cause the kernel to panic, just a failure message in the log. Since the error doesn't always appear, it's most likely a kernel bug. Other ARM machines seem to be affected too. [7] [8]
root #dmesg[ 0.172340] jitterentropy: Initialization failed with host not compliant with requirements: 9
See also
References
- ↑ https://docs.hetzner.com/cloud/servers/faq/#how-can-i-get-a-custom-iso
- ↑ https://docs.hetzner.com/cloud/servers/faq/#why-can-i-not-connect-to-my-ipv6-only-cloud-server
- ↑ https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096
- ↑ https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
- ↑ https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
- ↑ https://github.com/orgs/community/discussions/10539
- ↑ https://patchwork.yoctoproject.org/project/oe-core/patch/20231003122542.764073-1-ross.burton@arm.com/
- ↑ https://lore.kernel.org/linux-arm-kernel/68c6b70a-8d6c-08b5-46ce-243607479d5c@i2se.com/T/