-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Platform Request: Hetzner #1324
Comments
Thanks for filing this. Note that we'll need these answers from the OS perspective, not the user perspective. E.g., how does the OS fetch userdata? How does it learn its own hostname? |
Some previous discussion in:
Apparently the platform is sometimes called |
We discussed this in today's community meeting:
|
Happy to hear it. Would you like me to ask around to see if I can find some contacts there or do you already have folks you can talk to? |
Yes, that would be helpful, thanks! |
Quick update: I’ve been in touch with an engineer at Hetzner: “I passed it to the responsible people but they are on vacation for the next two weeks … I will force it to be answered then :)” |
At least for reseting passwords a "QEMU Guest Agent" is running on the OS. |
So, how could we help to get CoreOS running on Hetzner Cloud? |
@asciiprod Thanks for joining in! We could use some help answering the questions at the top of this issue. We have some answers already in the old Container Linux PRs, but it'd be good to make sure our understanding is up to date. |
Sure, I'll try to answer them as good as I can:
|
@asciiprod thanks for the detailed feedback! Some additional thoughts from my side:
|
The canonical documentation is available at: If we want to include the image on the platform, it must support passing a password hash as instance creation does not force selecting an SSH key. Using UEFI-only for given image is something that is currently not implemented. I'd have to check internally if we could do that. The internal workflow for images does not import any external disk images. Hetzner Cloud images are generated by automated installations (e.g. kickstart/subiquity) from distribution ISOs using packer & ansible. This leads to a compressed (zstd) raw disk image, which is uploaded as an image snapshot and used to test and validate the new build on the platform. That is the point were it could be possible to import a pre-build external disk image. However that would have to be discussed internally, if it is acceptable to open this process up for 3rd party generated images. From a release and support point of view, I think we could only support the stable version. Currently no aarch64 Cloud instances, but as we offer Ampere dedicated servers, that's something I would keep on the list and I'd say they work the same way (probably UEFI-only) |
Ah great, thanks. The page I was looking for is https://docs.hetzner.cloud/#server-metadata (though it doesn't currently cover the userdata part). |
Thanks for the detailed info, this is very helpful!
I don't think we should support this. Fedora CoreOS tries to encourage the use of best practices, and passwords aren't that. On other platforms, Fedora CoreOS instances are usually configured with an SSH key passed in the Ignition config.
We always recommend that users run some |
I totally agree that SSH keys should be used and we also strongly recommend it during instance creation. But we do offer a password fallback for the existing OS images. So if CoreOS does not support it, we would need to enforce it. In any case the more CoreOS specific changes we would need to make, the more difficult it becomes to adopt it for Hetzner Cloud. |
IIUC from the docs, it seems like the password hash is injected into the user-data, which is assumed to be a cloud-init config. Is that correct? I derived this from the fact that there's no entry for it in the Server Metadata section. (Aside: it seems like that section is missing an entry for If that's the case, that logic would have to learn to support Ignition configs too. Password authentication is disabled by default on FCOS, so it would have to inject a drop-in for it. Also, the default sshd config (at least on Fedora) prohibits password authentication for the root user so it would have to undo that too. What happens if no SSH keys are provided and the user-data isn't a cloud-init config? Does the API return an error because it doesn't know how to inject a root password? That seems like acceptable behaviour for the time being and avoids adding anything FCOS-specific. |
The metadata API provides either the user-selected SSH-key or a random generated password hash if no SSH-key is selected. So instance creation will always succeed. |
Yes, if we want to start making incremental progresses on this then the next immediate things to sort out on FCOS side are:
|
Hey everyone (@asciiprod, @lucab), any progress on this? It would be really amazing to be able to boot up a Fedora CoreOS instance on Hetzner in under a minute (that’s how fast the supported instances boot up; it’s a game-changer for Small Web use) :) |
Hey folks, any updates on this? Would still love to see it happen. Has communication between Fedora and Hetzner stalled? If so, how do we get it going again? :) |
@aral I think this thread has all of the needed information now, or at least most of it. There are some old Afterburn and Ignition PRs that'll need a rebase and an update based on the information here. I don't think anyone is currently working on that, but feel free to run with it if you'd like! |
I've created a PR with the "simplified" steps to add a new platform: #1562 |
Ignition PR: coreos/ignition#1707 |
Folks interested for initial support for this platform in Fedora CoreOS should open an issue with the emerging platform template and follow the steps there. Thanks! |
Any updates on this for 2024? I can’t imagine how launching a CoreOS installation on Hetzner’s cloud in under a minute would be bad for either Fedora or Hetzner. (Not to mention that this would have the Small Web launch on CoreOS instead of Ubuntu as that’s really the only option I see at the moment otherwise for an affordable platform with instance creation measured in the seconds.) Anyone know what’s blocking this and how we can try and route around it? |
@aral There's a really good guide by @swick that explains how to install Fedora CoreOS on Hetzner servers. It's not as easy as the other operating systems provided by Hetzner, but it's a good enough workaround until they provide official support. |
@nachtjasmin Thanks, Jasmin, that is a good guide indeed. Sadly, for my needs (we will eventually have thousands of servers), that isn’t good enough so I’ve decided to go with AlmaLinux on Hetzner instead. It doesn’t automatically update like CoreOS, sadly, which would have been my first choice, but eight years of security updates should give us enough time to either implement a major version update system or transition to a transactional OS later. |
Since this doesn’t look like it’s going to be implemented and since I’m moving ahead with using a different OS, I’m closing this. Please feel free to reopen if anything changes. |
@aral Why not just leave it open, since it’s not solved yet? |
@thomasaull I’ll leave that decision to the Fedora CoreOS folks. They can reopen it if they decide to work on it. It’s been open for over two years, there’s no reason to keep it open longer in my view. |
@aral Got it. Just out of curiosity: What exactly is the issue with the snapshot approach? Boot duration too long? |
@thomasaull It’s too convoluted and specific to Hetzner. I don’t want to tie Domain so closely to one provider, even if Hetzner is the one we’re initially going to be supporting and to have a hacky workaround be the core way that servers are deployed for the Small Web. Also, hopefully, we (Small Technology Foundation) won’t be the only ones running Domain instances – other organisations around the world will so it’s just not feasible to base such a system on a workaround. (Boot duration isn’t the issue as Domain now uses prewarmed instances.) In the future, once we have more resources, etc., we can maybe review the decision. Hope that helps give some insight into my, admittedly rather unconventional, needs :) |
@aral Thanks for the insights! I'll read up on Domain/Small Web |
@thomasaull If you’re going to, the end-to-end encrypted Kitten chat (https://ar.al/2023/02/20/end-to-end-encrypted-kitten-chat/) and Streaming HTML (https://ar.al/2024/03/08/streaming-html/) posts/videos should give you a good idea of where everything is. It’s a new stack, specifically for a peer-to-peer web (Small Web) 💕 |
One of the biggest roadblocks currently is the UEFI requirement. We also don't really want to offer a server image that doesn't boot in legacy BIOS mode (which then wouldn't boot on the older machine types). |
With support in Afterburn and Ignition now in stable, it should be possible to convert a QEMU FCOS image using the script in coreos/fedora-coreos-docs#651 to an Hetzner one and use it to setup FCOS on Hetzner. Testing welcomed! If successful, we should document that in the docs. |
Initial documentation to setup FCOS on Hetzner. Inspired by: https://www.flatcar.org/docs/latest/installing/cloud/hetzner/ See: coreos/fedora-coreos-tracker#1324
While we do not yet provide ready made images for Hetzner, I've written documentation on how to setup Fedora CoreOS on Hetzner with what we have available right now: coreos/fedora-coreos-docs#654 Testing and feedback welcomed! |
What's preventing this last piece ^^? Looks like from the docs PR you are just changing the platform ID, is that it? |
Yes, that's the only bit missing. If there are no objections then we could start building those and that would definitely make it easier to provision an instance. |
We discussed this issue on FCOS community meeting today and agreed that we will start producing Hetzner images for Fedora CoreOS. |
Does this mean that FCOS will become a 1-click install option on Hetzner Cloud? |
No, we will produce disk images that you will have to upload to hetzner, that's the best we can do |
No worries! That still sounds easier than the recovery mode work-arounds I keep seeing |
In order to implement support for a new cloud platform in Fedora CoreOS, we need to know several things about the platform. Please try to answer as many questions as you can.
Hetzner: https://www.hetzner.com/cloud
“Hetzner Online GmbH is a company and data center operator based in Gunzenhausen, Germany.” – https://en.wikipedia.org/wiki/Hetzner
According to Enlyft, over 180,000 companies use their services.
In 2021, they apparently had over 200,000 servers in just one of their data centres (https://www.youtube.com/watch?v=5eo8nz_niiM).
Personally, they offer the fastest instance creation times I’ve seen, an excellent API, and their prices are among the lowest available. All of these make them perfect for use for the small web. Unfortunately, since they don’t support CoreOS, I’m going to likely have to build the small web stuff on Ubuntu to start with. Which is less than ideal as I’d love for the instances to be auto-updating with a minimum of maintenance required. (The closest thing to that currently is Ubuntu LTS with automatic security updates enabled but that doesn’t, of course, cover major version updates.)
Hetzner.
Currently uses CloudInit, as far as I know (at least for Ubuntu instances). If no userdata is provided, no customisation occurs.
Yes (through their interface/API). If none are provided, it sets a root password and emails it to the person.
I don’t know, sorry.
All regular hostname commands appear to work. Not sure if that’s what you’re asking though.
I don’t know, sorry.
Not sure.
I don’t believe so. I haven’t encountered it in the instances I’ve set up, at least.
Online interface + API. I haven’t used this personally.
Likely, but I haven’t encountered any in my use of their services :)
The text was updated successfully, but these errors were encountered: