RancherOS on Hetzner Cloud


#1

I’m curious about RancherOS, so I installed an instance on the Hetzner Cloud. Let’s see how it works…

Installing RancherOS on Hetzner Cloud

Preliminary Steps

  1. Create a new instance. Ubuntu or Debian are fine: we’re going to smash them anyway.
  2. Enable Rescue
  3. SSH in to your new instance

If you already have a spare instance, you can still go through 2 and 3, but beware, the HDD will be wiped!

ISO Install

This works for other OSes as well that are not in the official image list (e.g., Alpine Linux, Devuan, etc.).

1. Get the tools

apt install kexec-tools

This will be used to boot the mounted ISO once we have it.

2. Get the ISO

At the time of this writing, v1.5.1 is out. YMMV, replace the version number as needed in the whole document.

wget https://github.com/rancher/os/releases/download/v1.5.1/rancheros.iso
wget https://github.com/rancher/os/releases/download/v1.5.1/iso-checksums.txt

Running sha256sum rancheros.iso should match the hash in the iso-checksums.txt. If not: stop here and download again, as something is very wrong. Do not continue unless the SHA256 hashes match.

3. Wipe the Disk

This is why we’re running in Rescue mode and not on the primary OS. Now you know :slight_smile:

sgdisk -Z /dev/sda

4. Boot RancherOS from the ISO

mount -t iso9660 rancheros.iso /mnt
kexec --initrd /mnt/boot/initrd-v1.5.1 \
      --command-line="rancher.password=rancher" \
      /mnt/boot/vmlinuz-4.14.85-rancher

Now we can SSH in from another terminal to finish the install:

ssh \
  -o ProxyCommand=none \
  -o PubkeyAuthentication=no \
  -o UserKnownHostsFile=/dev/null \
  -o StrictHostKeyChecking=no \
rancher@$HETZNER_HOST_IP

5. Install RancherOS on Disk

First, prepare the configuration file:

cat <<EOD > cloud-config.yml
hostname: rancher
ssh_authorized_keys:
  - ssh-ed25519 AAAAC3NzaC1l...QdmfAnff9n how@spine
rancher:
  docker:
    tls: true
  network:
    dns:
      nameservers:
        - 213.133.98.98
        - 213.133.99.99
        - 213.133.100.100
    interfaces:
      eth0:
        address: $HETZNER_HOST_IP
        netmask: 255.255.255.255
        gateway: 172.31.1.1
        pointopoint: 172.31.1.1
        mtu: 1400
        dhcp: false
EOD

Let’s break it down:

  1. hostname should be the hostname you choose for your instance
  2. the ssh_authorized_keys should list one or more public keys. ed25519 keys are short and strong: use them.
  3. Docker TLS is set to true, so you must additionally run the “Docker TLS” commands below
  4. DNS servers are Hetzner’s. You can use whatever you like.
  5. $HETZNER_HOST_IP must be replaced by the public IPv4 address assigned to your instance.
  6. The eth0 setup uses 172.31.1.1 gateway as is normal with Hetzner Cloud static IPs. Careful it’s pointopoint, not pointtopoint (only one t (sic)).

Now we’re ready to go:

ros install \
  -i rancher/os:v1.5.1 -t gptsyslinux -c cloud-config.yml -d /dev/sda -f

Additionally setup Docker TLS:

ros config set rancher.docker.tls true
ros tls gen --server -H localhost -H rancher -H $HETZNER_HOST_IP
system-docker restart docker
ros tls gen

Here. Done. Reboot into your new RancherOS instance!

What’s in RancherOS?

So, RancherOS is a Docker-based Linux system optimized to run Docker containers.
It seems very appropriate for Cloud deployments. I was first attracted to it because of a screenshot that shows a nice web-based Kubernetes manager. I thought it might be useful for me to learn the ropes of K8s.

Kubernetes Dashboard

So, I only have sshd running. Hmmm… After some browsing I found this–but don’t run this yet–:

docker run -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher

After another browsing set, I came to destroy the user docker container rancher/rancher and use the system service version instead. Here you go:

docker ps # returns an empty set
sudo ros s enable rancher-server-stable # chose from: sudo ros service list
sudo ros s up rancher-server
docker ps

rancher-server will listen on 8080.

Soon enough I could access the IP through HTTPS and see the nice dashboard.

TODO

  • Fix the certificate (using LetsEncrypt instead of the default self-signed CA) so I can run on the public domain name
  • Configure for custom cloud providers (e.g., Hetzner)

#2

Related
https://seclists.org/oss-sec/2019/q1/119


#3

Yes, v1.5.1 fixes this vulnerability (it’s not the stable release yet.) See release notes below: