Debain 4.0 Etch AMD 64 X2 Server from Hetzner
Posted: | 2007-11-09 19:07 |
---|---|
Tags: | Debian, Hardware, Virtulization, Hosting |
I bought a new server from Hetzner (German) on Sunday 4th November and on the evening of the 5th I received my sign in details by email in both German and English for the server, already installed with the 64bit version of Debian Etch. This post documents my progress setting it up.
Exploring the Control Panel
The first email you get gives you a sign in to the Hetzner control panel (they call it Robot). Everything is in German but here are some translations of the interface (thanks to Google Translate):
Verwaltung Administration Sicherheit Security E-Mail-Adressen Emails Support-Anfragen Support requests Status-Benachrichtigung Status Notification Newsletter Newsletter RIPE-Registration RIPE-Registration Rechnungen Bills Offene Posten Open Item Traffic-Statistik Traffic Statistics Traffic-Limit-Reporting Traffic limit Reporting Tagesbericht Daily Report Monatsbericht Monthly Report Jahresbericht Annual Report Leistungsübersicht Performance Overview Resetaufträge Reset orders Rescuesystem Rescue System VNC-Installation VNC-Installation neuen Server bestellen New server order Separater Admin-Zugang Separate Admin Access Reverse-DNS-Einträge Reverse-DNS Eintrag anlegen Entry Eintrag löschen Delete Entry Dokumentation Documentation Daten-Export-Schnittstelle Data Export interface
Perhaps the two most useful entries are Resetaufträge and Rescuesystem. The Resetaufträge page gives you three main options:
``Automatischen Hardware-Reset auslösen`` - Perform an automatic hardware reset.
STRG+ALT+ENTF an den Server senden - Send a CTRL+ALT+DEL signal to the server
Manuellen Hardware-Reset beauftragen - Request a member of the Hetzner staff manually reboot your server.
There is a warning with this last one which translates as:
Please note that manual Hardware-Resets only during our business hours, Monday through Friday 6:30-22:45 pm, Saturday 10-17 hours delay Edited. Outside of business hours, you can Robot menu under "support requests" our 24-h-Rufbereitschaft contact. Also available in the Guide for support operations valuable information.
I'm not sure if there is a charge for the manual reset.
The Rescuesystem sets up a config file for 5 minutes so that if you server reboots it will boot over the network using DHCP into a Hetzner-specific rescue system as long as you have a modern machine (mine was bought in November 2007 and works perfectly). The message translates as:
When activating the rescue system is a DHCP server on our configuration file. When rebooted your server will be booted from the network grabs this configuration file for the rescue system and loads a minimal base system from our TFTP. You can rescue the system will use as long as you need it. The order for the rescue system remains 5 minutes activated. If you then reboot your server will return your usual system of hard.
Caution:
Whether your server about the rescue system can boot depends on whether the network card on the server network is set to boot. This is only the latest in servers as a default by us so. If it is still not set, the server after activating the rescue system at the next reboot with the existing system from the hard disks. Should your server will be converted, then send an e-mail to support@hetzner.de or if you know where your server is equal to the appropriate data center. Indicate whether the change immediately, or at any time any of us can be carried out or by appointment only. The conversion is associated with down-time of about 5 minutes. We ask for your understanding if it in the handling of the changeover contracts to small delays can occur.
You have to choose whether to use the 32bit or 64bit system and then when you clcik the Aktivieren button the rescue system config is set up and you are given a password you'll need to login then if you reboot your server within 5 mins you will be booted in to the rescue system. Very handy.
It is well worth reading the help files (in this case run through Google translate) for more information about the Hetzner setup.
Checking the Stats
Here are some stats showing what a fresh setup looks like:
Debian-40-etch-64-minimal:~# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 365G 520M 346G 1% / tmpfs 2.0G 0 2.0G 0% /lib/init/rw udev 10M 36K 10M 1% /dev tmpfs 2.0G 0 2.0G 0% /dev/shm Debian-40-etch-64-minimal:~# cat /etc/issue Debian GNU/Linux 4.0 \n \l Debian-40-etch-64-minimal:~# uname -a Linux Debian-40-etch-64-minimal 2.6.18-5-amd64 #1 SMP Tue Oct 2 20:37:02 UTC 2007 x86_64 GNU/Linux Debian-40-etch-64-minimal:~# free -m total used free shared buffers cached Mem: 3926 73 3853 0 12 19 -/+ buffers/cache: 41 3885 Swap: 2055 0 2055
These commands show I'm using Debian 4.0 with a 364Gb hard disk on an AMD 64 machine and that I have 3853Mb of free RAM, using only 73Mb in total.
Re-Installing The Operating System
The first time I tried to setup the server with Xen it all went horribly wrong. This is because Xen expects Grub to be present but the default Hetzner Etch AMD64 image comes with Lilo. I tried removing lilo and setting up grub manually but to no avail although I did learn a lot about Grub as a result of my experiments and can recommend this excellent guide to grub.
Following the instructions in the previous section I initialed the rescue system, rebooted and then used SSH to connect. Since this isn't the same install you get an error from your SSH client until you remove the existing host from the known hosts file on your local machine:
james@dirac:~$ ssh root@doppler.3aims.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 50:10:6b:5f:dc:e7:45:17:73:00:d0:50:f0:0e:48:be. Please contact your system administrator. Add correct host key in /home/james/.ssh/known_hosts to get rid of this message. Offending key in /home/james/.ssh/known_hosts:1 RSA host key for doppler.3aims.com has changed and you have requested strict checking. Host key verification failed.
Sign in as root with the password you got after clicking Aktivieren. Once you are in you see this:
Linux rescue 2.6.22.2 #2 SMP Tue Aug 28 09:28:15 CEST 2007 x86_64 ------------------------------------------------------------------ Welcome to the Hetzner Rescue System. This Rescue System is based on Debian 4.0 (etch) with a newer kernel. You can install software like in a normal system. To install a new operating system from one of our prebuilt images, run 'installimage' and follow the instructions. For more information take a look at http://wiki.hetzner.de ------------------------------------------------------------------ root@rescue ~ #
I ran the install script installimage choosing 64bit Debian 4.0 Etch and then editing the following settings in the config file:
- FORMATDRIVE2 = 1
- This sets up the second hard drive so you can actually use it.
- BOOTLOADER = grub
- This sets up the bootloader to use grub so that you can install Xen.
When you're done the install sets to work:
Hetzner Online AG - installimage #~ server will be installed now. this will take a few minutes. #~ you can abort at any time with CTRL+C .. #~ ( init) ~ reading vars... [ OK ] #~ ( 1/11) ~ deleting partitions... [ OK ] #~ ( 2/11) ~ creating partitions and fstab... [ OK ] #~ ( 3/11) ~ formatting partitions... [ OK ] #~ ( 4/11) ~ mounting partitions... [ OK ] #~ ( 5/11) ~ extracting imagefile from local... [ OK ] #~ ( 6/11) ~ setting up network config for eth0... [ OK ] #~ ( 7/11) ~ chrooting some commands... [ OK ] #~ ( 8/11) ~ clearing logfiles... [ OK ] #~ ( 9/11) ~ setting up some files... [ OK ] #~ (10/11) ~ setting up rootpassword... [ OK ] #~ (11/11) ~ setting up bootloader grub... [ OK ] #~~~ INSTALLATION COMPLETE ~~~# you may now reboot into your new system you can login to your new system with the same password as you logged in into the rescue system root@rescue ~ #
When you type reboot the server reboots back into a new Debian Etch install, this time using Grub and with the second hard disk available.
Installing Xen
Now that we have grub set up, installing Xen is as simple as entering two commands:
apt-get install xen-linux-system-2.6.18-4-xen-amd64 reboot
The OS will then reboot into the Xen DomU. You'll probably want the 5 free IP addresses Hetzner offer so that each Xen virtual machine can have its own IP address. You can request them from the Support-Anfragen section of the control panel. Choose the Subnetze für DS2000/DS3000/DS5000/DS7000/DS8000/DS9000 beantragen option.
According to this article about Xen on Hetzner you cannot use bridging on Hetzner. Instead you have to use routing via DomU.
Edit /etc/xen/xend-config.sxp so that it only contains these lines:
# -*- sh -*- (network-script network-route) (vif-script vif-route)
Restart xend:
/etc/init.d/xend restart
According to this page you will also need to run this command:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
Xen is now setup ready for you to create some images.
Checking the Stats Again
Here are some stats showing what the new Xen setup looks like:
Debian-40-etch-64-minimal:~# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 365G 612M 346G 1% / tmpfs 1.7G 0 1.7G 0% /lib/init/rw udev 10M 36K 10M 1% /dev tmpfs 1.7G 0 1.7G 0% /dev/shm Debian-40-etch-64-minimal:~# cat /etc/issue Debian GNU/Linux 4.0 \n \l Debian-40-etch-64-minimal:~# uname -a Linux Debian-40-etch-64-minimal 2.6.18-4-xen-amd64 #1 SMP Fri May 4 02:40:51 UTC 2007 x86_64 GNU/Linux Debian-40-etch-64-minimal:~# free -m total used free shared buffers cached Mem: 3366 200 3165 0 1 15 -/+ buffers/cache: 182 3183 Swap: 2055 0 2055 Debian-40-etch-64-minimal:~# fdisk -l Disk /dev/sda: 400.0 GB, 400088457216 bytes 255 heads, 63 sectors/track, 48641 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 1 262 2104514+ 82 Linux swap / Solaris /dev/sda2 263 48641 388604317+ 83 Linux Disk /dev/sdb: 400.0 GB, 400088457216 bytes 255 heads, 63 sectors/track, 48641 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System
As you can see, using Xen takes a bit more memory but it doesn't look like the second disk has any paritions or has been formatted by the Hetzner install after all.
Mounting the Other Hard Disk
Let's create a partition:
Debian-40-etch-64-minimal:~# fdisk -u /dev/sdb The number of cylinders for this disk is set to 48641. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First sector (63-781422767, default 63): Using default value 63 Last sector or +size or +sizeM or +sizeK (63-781422767, default 781422767): Using default value 781422767 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks.
And then format it using an ext3 filesystem:
Debian-40-etch-64-minimal:~# /sbin/mkfs -t ext3 /dev/sdb1 mke2fs 1.40-WIP (14-Nov-2006) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 48840704 inodes, 97677838 blocks 4883891 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 2981 block groups 32768 blocks per group, 32768 fragments per group 16384 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 37 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Add this line to /etc/fstab:
/dev/sdb1 /mount/sdb1 ext3 defaults 0 0
Then mount the partition:
mkdir /mount mkdir /mount/sdb1 mount /dev/sdb1
Checking the stats again we have:
Debian-40-etch-64-minimal:~# fdisk -l Disk /dev/sda: 400.0 GB, 400088457216 bytes 255 heads, 63 sectors/track, 48641 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 1 262 2104514+ 82 Linux swap / Solaris /dev/sda2 263 48641 388604317+ 83 Linux Disk /dev/sdb: 400.0 GB, 400088457216 bytes 255 heads, 63 sectors/track, 48641 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdb1 1 48642 390711352+ 83 Linux Debian-40-etch-64-minimal:~# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 365G 612M 346G 1% / tmpfs 1.7G 0 1.7G 0% /lib/init/rw udev 10M 40K 10M 1% /dev tmpfs 1.7G 0 1.7G 0% /dev/shm /dev/sdb1 367G 195M 348G 1% /mount/sdb1 Much better, 674Gb free space.
Setting up Domain and Host Names
All my machines have hostnames named after famous Physicists so this one is doppler.3aims.com named after Christian Doppler. I set up its DNS entries through the DynDNS control panel as follows:
doppler.3aims.com. 1440 A 78.46.35.5
Then I SSH'd into the machine, set a new root password and changed /etc/hostname to doppler and replaced the line after localhost with this in /etc/hosts:
78.46.35.5 doppler doppler.3aims.com
You then run hostname doppler to save yourself a reboot. More info on etch hostnames here:
Debian-40-etch-64-minimal:~# vim /etc/hostname Debian-40-etch-64-minimal:~# vim /etc/hosts Debian-40-etch-64-minimal:~# hostname doppler
All good so far.
Basic Configuration
Rather than doing everything as root it is best to add a normal user account and grant sudo privileges:
Debian-40-etch-64-minimal:~# apt-get install sudo Debian-40-etch-64-minimal:~# adduser james Adding user `james' ... Adding new group `james' (1000) ... Adding new user `james' (1000) with group `james' ... Creating home directory `/home/james' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for james Enter the new value, or press ENTER for the default Full Name []: James Gardner Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/N] y
You can then grant privileges with the visudo command and at the end of the file add james ALL=(ALL) ALL then become james with su james.
Now you can become james with su james. Notice that the Bash prompt will now pick up the hostname change:
Debian-40-etch-64-minimal:~# su james james@doppler:/root$
Locales
The first thing to set up are locales before you install any extra packages:
$ sudo dpkg-reconfigure locales
I chose en_GB.UTF-8 UTF-8 and also left en_US.ISO-8859-15 ISO-8859-15 selected too, choosing en_GB.UTF-8 UTF-8 as the default.
Timezones
The default setup has the German timezone. Lets change that to UTC:
james@doppler:/root$ sudo tzconfig Your current time zone is set to Europe/Berlin Do you want to change that? [n]: y Please enter the number of the geographic area in which you live: 1) Africa 7) Australia 2) America 8) Europe 3) US time zones 9) Indian Ocean 4) Canada time zones 10) Pacific Ocean 5) Asia 11) Use System V style time zones 6) Atlantic Ocean 12) None of the above Then you will be shown a list of cities which represent the time zone in which they are located. You should choose a city in your time zone. Number: 8 Amsterdam Andorra Athens Belfast Belgrade Berlin Bratislava Brussels Bucharest Budapest Chisinau Copenhagen Dublin Gibraltar Guernsey Helsinki Isle_of_Man Istanbul Jersey Kaliningrad Kiev Lisbon Ljubljana London Luxembourg Madrid Malta Mariehamn Minsk Monaco Moscow Nicosia Oslo Paris Podgorica Prague Riga Rome Samara San_Marino Sarajevo Simferopol Skopje Sofia Stockholm Tallinn Tirane Tiraspol Uzhgorod Vaduz Vatican Vienna Vilnius Volgograd Warsaw Zagreb Zaporozhye Zurich Please enter the name of one of these cities or zones You just need to type enough letters to resolve ambiguities Press Enter to view all of them again Name: [] London Your default time zone is set to 'Europe/London'. Local time is now: Fri Nov 9 16:53:52 GMT 2007. Universal Time is now: Fri Nov 9 16:53:52 UTC 2007.
SSH Config
Next we'll change the default SSH configuration to make it more secure:
Make a backup of /etc/ssh/sshd_config and then check or change the following:
Port 30000 <-- change to a port other than 22 PermitRootLogin no AllowUsers james
These are self-explainatory. This will disable root logins, allow only the user james to login, only on port 30000. If you like you can also set:
PasswordAuthentication no
This will mean you will only be able to login via an SSH private/public key pair which you will have needed to set up in advance. I didn't do this.
Note that if you get them wrong you might not be able to login to the machine so be careful. Once you happy with the settings restart:
doppler:~# /etc/init.d/ssh restart Restarting OpenBSD Secure Shell server: sshd.
Don't exit that shell though before you've loaded up another terminal and checked you can connect again. This time you'll need to use this:
ssh james@doppler.3aims.com -p 30000
If you do make a mistake and can't reconnect, boot into the rescue system and mount the drive with this command:
mount /dev/sda2 /mnt -t ext3
You will then be able to edit the file as /mnt/etc/ssh/sshd_config and then reboot back into your normal setup.
Also, publishing the settings you've chosen on a blog like this defeats the purposes of setting them so choose something different if you are going to publish them!
Firewall
You set up the firewall walls using iptables. This can't be done using sudo so you have to become the root user:
james@doppler:~$ sudo -i Password: doppler:~# whoami root
You can see the firwall rules like this:
doppler:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If there were any rule you could save them like this:
iptables-save > /etc/iptables.current.rules
Here's a simple firewall configuration from the Slicehost Blog which you can use to block all access apart from on SSH, HTTP and HTTPS. Save this as /etc/iptables.test.rules. Feel free to modify it for your own use and be aware that if you have didn't change the SSH port to 30000 or you chose another port, you'll need to update the firewall config before you apply it.
Now load the rules with:
iptables-restore < /etc/iptables.test.rules
Again, test that you can still sign in using SSH before you exit the shell.
If you list the rules again you will see this:
doppler:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT 0 -- anywhere anywhere REJECT 0 -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000 ACCEPT icmp -- anywhere anywhere icmp echo-request LOG 0 -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT 0 -- anywhere anywhere
Once you are happy with the rules, save them permanently:
iptables-save > /etc/iptables.up.rules
Now we need to ensure that the iptables rules are applied when we reboot the server. At the moment, the changes will be lost and it will go back to allowing everything from everywhere.
Edit /etc/network/interfaces and add a pre-up line (shown below) just after iface lo inet loopback:
... auto lo iface lo inet loopback pre-up iptables-restore < /etc/iptables.up.rules ...
This line will restore the iptables rules from the /etc/iptables.up.rules file.
Updating
Next I installed any updates from the repositories listed in /etc/apt/sources.list:
sudo apt-get update sudo apt-get upgrade
perl-base was the only package upgraded. After I'd made all these changes I rebooted to ensure they were all applied.
That's as far as I can get until I recieve the new IP addresses. Might be some updates to the above if I run into any problems.
Note
Now you can create your virtual machines. See my previous article for how to do this. Start reading from the xen-create-image line.
Comments
AMD Talk » AMD 64 X2 Server From Hetzner
Posted: | 2007-11-09 20:05 |
---|
[...] Larry Rulison, Business writer wrote an interesting post today onHere’s a quick excerpt… cached Mem: 3926 73 3853 0 12 19 -/+ buffers/cache: 41 3885 Swap: 2055 0 2055. These commands show I’m using Debian 4.0 with a 364Gb hard disk on an AMD 64 machine and that I have 3853Mb of free RAM, using only 73Mb in total. … [...] :URL: http://amdtalk.com/1969/amd-64-x2-server-from-hetzner/
sqcentral » AMD 64 X2 Server From Hetzner
Posted: | 2007-11-09 22:39 |
---|
[...] here for [...] :URL: http://sqcentral.cn/?p=1233
hubab » AMD 64 X2 Server From Hetzner
Posted: | 2007-11-10 05:06 |
---|
[...] read more here [...] :URL: http://hubab.cn/?p=1652
hgdomainnames » Blog Archive » AMD 64 X2 Server From Hetzner
Posted: | 2007-11-10 08:20 |
---|
[...] here for full [...] :URL: http://hgdomainnames.cn/?p=716
Segtext.Com » AMD 64 X2 Server From Hetzner
Posted: | 2007-11-10 08:24 |
---|
[...] Ostrowski wrote an interesting post today on AMD 64 X2 Server From HetznerHere’s a quick [...] :URL: http://www.segtext.com/?p=646