Ubuntu full disc encryption on Hetzner Cloud adding add static route in initramfsStatic route in initramfsPersistent static route stops working after VPN drops and reconnectsStatic Route for WindowsMultiple networks per interface in OpenStack in HetznerDhcp Classless Static Routes hook errorRouting several layers deep through VPNStatic route in initramfsHow to setup a mailserver on Google Cloud VM?Not able to add static IP with Netplan on Ubuntu 18.04Alternative to /etc/network/interfaces on Ubuntu 18.04OpenVPN server unable to ping network behind client VPN, Clients can ping server network fine
Do flight schools typically have dress codes or expectations?
How to extract the storage of a smart contract?
Change CPU MHz from Registry
STM Microcontroller burns every time
Policemen catch thieves
VAT refund London Heathrow
Do hotel cleaning personnel have any benefit from leaving empty bottles in the room as opposed to returning them to the store?
What happens when I sacrifice a creature when my Teysa Karlov is on the battlefield?
quadratic equation solving mistake
Would a two-seat light aircaft with a landing speed of 20 knots and a top speed of 180 knots be technically possible?
Can the negators "jamais, rien, personne, plus, ni, aucun" be used in a single sentence?
Why is Madam Hooch not a professor?
First-year PhD giving a talk among well-established researchers in the field
An expansion from Ramanujan related to birthday problem
Why aren't (poly-)cotton tents more popular?
Can you apprehend something instead of someone?
Using “sparkling” as a diminutive of “spark” in a poem
What sort of mathematical problems are there in AI that people are working on?
Low-gravity Bronze Age fortifications
Importance of the principal bundle in Chern-Simons theory
Cascading Repair Costs following Blown Head Gasket on a 2004 Subaru Outback
Alternatives to Versioning?
Is my Rep in Stack-Exchange Form?
Should my manager be aware of private LinkedIn approaches I receive? How to politely have this happen?
Ubuntu full disc encryption on Hetzner Cloud adding add static route in initramfs
Static route in initramfsPersistent static route stops working after VPN drops and reconnectsStatic Route for WindowsMultiple networks per interface in OpenStack in HetznerDhcp Classless Static Routes hook errorRouting several layers deep through VPNStatic route in initramfsHow to setup a mailserver on Google Cloud VM?Not able to add static IP with Netplan on Ubuntu 18.04Alternative to /etc/network/interfaces on Ubuntu 18.04OpenVPN server unable to ping network behind client VPN, Clients can ping server network fine
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I try to setup Ubuntu with full disc encryption on top of Hetzner Cloud. I got everything to work except the network connection in initramfs. Thanks to the UI console its possible to unlock, but I need SSH (dropbear) in init. I successfully using the same configuration on their root servers without any issues.
If I setup dropbear to get the IP by dhcp always resulting in NETWORK IS UNREACHABLE. But it gets the right parameters from the dhcp server. I asked Hetzner Support. They told me they think the dhcp client does not support RFC 3442 Classless Static Routes Option and recommended to add a static route with ip r a 172.31.1.1 dev ens3. Like on this Question I added the route, but always got the same error: NETWORK IS UNREACHABLE. I tested to set the route in different scripts, but nothing changed. I tested Ubuntu 16.04 and 18.04.
I'am happy about any recommends about this.
Thanks!
ubuntu static-routes initramfs hetzner dropbear
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
add a comment |
I try to setup Ubuntu with full disc encryption on top of Hetzner Cloud. I got everything to work except the network connection in initramfs. Thanks to the UI console its possible to unlock, but I need SSH (dropbear) in init. I successfully using the same configuration on their root servers without any issues.
If I setup dropbear to get the IP by dhcp always resulting in NETWORK IS UNREACHABLE. But it gets the right parameters from the dhcp server. I asked Hetzner Support. They told me they think the dhcp client does not support RFC 3442 Classless Static Routes Option and recommended to add a static route with ip r a 172.31.1.1 dev ens3. Like on this Question I added the route, but always got the same error: NETWORK IS UNREACHABLE. I tested to set the route in different scripts, but nothing changed. I tested Ubuntu 16.04 and 18.04.
I'am happy about any recommends about this.
Thanks!
ubuntu static-routes initramfs hetzner dropbear
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
add a comment |
I try to setup Ubuntu with full disc encryption on top of Hetzner Cloud. I got everything to work except the network connection in initramfs. Thanks to the UI console its possible to unlock, but I need SSH (dropbear) in init. I successfully using the same configuration on their root servers without any issues.
If I setup dropbear to get the IP by dhcp always resulting in NETWORK IS UNREACHABLE. But it gets the right parameters from the dhcp server. I asked Hetzner Support. They told me they think the dhcp client does not support RFC 3442 Classless Static Routes Option and recommended to add a static route with ip r a 172.31.1.1 dev ens3. Like on this Question I added the route, but always got the same error: NETWORK IS UNREACHABLE. I tested to set the route in different scripts, but nothing changed. I tested Ubuntu 16.04 and 18.04.
I'am happy about any recommends about this.
Thanks!
ubuntu static-routes initramfs hetzner dropbear
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
I try to setup Ubuntu with full disc encryption on top of Hetzner Cloud. I got everything to work except the network connection in initramfs. Thanks to the UI console its possible to unlock, but I need SSH (dropbear) in init. I successfully using the same configuration on their root servers without any issues.
If I setup dropbear to get the IP by dhcp always resulting in NETWORK IS UNREACHABLE. But it gets the right parameters from the dhcp server. I asked Hetzner Support. They told me they think the dhcp client does not support RFC 3442 Classless Static Routes Option and recommended to add a static route with ip r a 172.31.1.1 dev ens3. Like on this Question I added the route, but always got the same error: NETWORK IS UNREACHABLE. I tested to set the route in different scripts, but nothing changed. I tested Ubuntu 16.04 and 18.04.
I'am happy about any recommends about this.
Thanks!
ubuntu static-routes initramfs hetzner dropbear
ubuntu static-routes initramfs hetzner dropbear
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
asked Jun 4 '18 at 16:40
user2638109user2638109
183 bronze badges
183 bronze badges
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
For those who come across this thread:
At least in Debian Stretch a little more generic configuration (which won't break on package update) works. We just configure network statically with a script in init-premount:
vi /etc/initramfs-tools/scripts/init-premount/static-routes
#!/bin/sh
# /etc/initramfs-tools/scripts/init-premount/static-routes
# to avoid race condition
# we have to wait until the automatic network configuration via dhcp
# is finished
sleep 15
ip a add 192.168.0.18/32 dev eth0
ip route add 192.168.178.1 dev eth0
ip route add default via 192.168.178.1 dev eth0
exit 0
chmod 755 /etc/initramfs-tools/scripts/init-premount/static-routes
answered Jun 7 at 14:45
jajojajo
261 bronze badge
add a comment |
had same problem / small discussion with tech support that it cannot be that the initramfs fails only in Hetzner cloud instances like this.
But Hetzner Support repeately states only that their DHCP server are compliant to RFC3442 which announces the default host route to the internal cloud GW. So this must be a problem of the initramfs dhcp client and they couldn't (wouldn't ?) try setup a perhaps possible BootP response e.g. with the right IP=... parameter.
I suggested to update their documentation for this but it seems the "feel free to use our wiki for documentation" ...
The (marketing ;) ... ) answer here is then not right:
Hetzner_OL 6 months ago [-]
Thanks for the suggestion about Docker/dbaas. I have passed it on to
our development team. We don't usually publish what new products and
features we are developing until they are ready, but we will continue
to post information about upgrades as they develop.
Regarding the DSGVO: Do you support encryption of the filesystem? ->
Hetzner Cloud servers are fully virtualized. So the customer can even
fully encrypt the whole server. --Katie, Marketing, Hetzner Online
I tried finding questions/solutions for this problem but the only match I found today is your question ;)
Your referenced answer for setup the interface is partly correct. But from question it wasn't clear that he also needs a static host route to the gateway so it's missing in the answer.
My quick solution of the problem is to patch manually the needed function like this "dynamically" - you can check all your variables in /run/net-ens3.conf:
root@image-debian-jessie-94 ~ # diff -p /usr/share/initramfs-tools/scripts/functions.orig,
*** /usr/share/initramfs-tools/scripts/functions.orig 2018-07-31 12:46:40.911167456 +0200
--- /usr/share/initramfs-tools/scripts/functions 2018-07-31 12:50:30.736742035 +0200
*************** configure_networking()
*** 274,279 ****
--- 274,284 ----
# ipconfig should have quit after first response
. /run/net-*.conf
fi
+
+ # Hack for Hetzner vServer static route enhanced like shown partly in this answer:
+ # https://serverfault.com/questions/909040/static-route-in-initramfs
+ ip route add $IPV4GATEWAY/$IPV4NETMASK dev $DEVICE
+ ip route add default via $IPV4GATEWAY dev $DEVICE
}
# Wait for queued kernel/udev events
Tested and worked fine for me. I could setup / snapshot the smallest image.
The encrypted snapshot is ~18 GB compared to 0,5 GB unencrypted but snapshot price is still fine compared to improved security (normally Openstack based systems could/should have a key manager service which can this transparently. ;)
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:SERVER_USER="root"DEBIAN_VER="9"SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"
– Reiner030
Feb 27 at 21:13
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)"$SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a
– Reiner030
Feb 27 at 21:19
add a comment |
jajo's answer starts on the right track, but it misses a few key things. Here is how I got this to work on Ubuntu Bionic without having to patch any files (meaning, this method isn't susceptible to being broken by an update):
initramfs-toolsscripts need to start with some boilerplate that hooks into its system; otherwise, the script will run at initramfs generation time, which is not what we want:#!/bin/sh
PREREQ=""
prereqs()
echo "$PREREQ"
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
# Begin real processing below this lineInvoke the
configure_networkingfunction right before adding the route. This causes the default network configuration to happen first, which would otherwise clobber any settings created by the script if it were to run later. The function creates some files in/run/, which make the second invocation (from the busybox-initramfs hook) do nothing.configure_networkingAdd the static routes, as in jajo's answer. If you are not configuring an IP address using e.g. a kernel command-line parameter, then add that here too.
ip route add 1.2.3.4 dev ens3
ip route add default via 1.2.3.4 dev ens3
exit 0
As in jojo's answer, the file above should be placed in /etc/initramfs-tools/scripts/init-premount/static-routes, and made executable.
One more thing worth noting is that klibc has recently implemented support for RFC3442 (classless static routes in DHCP); so, if your service provider is announcing the necessity for these routes in their DHCP configuration, it's possible that you may not need this script in the latest Debian/Ubuntu versions.
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f915118%2fubuntu-full-disc-encryption-on-hetzner-cloud-adding-add-static-route-in-initramf%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
For those who come across this thread:
At least in Debian Stretch a little more generic configuration (which won't break on package update) works. We just configure network statically with a script in init-premount:
vi /etc/initramfs-tools/scripts/init-premount/static-routes
#!/bin/sh
# /etc/initramfs-tools/scripts/init-premount/static-routes
# to avoid race condition
# we have to wait until the automatic network configuration via dhcp
# is finished
sleep 15
ip a add 192.168.0.18/32 dev eth0
ip route add 192.168.178.1 dev eth0
ip route add default via 192.168.178.1 dev eth0
exit 0
chmod 755 /etc/initramfs-tools/scripts/init-premount/static-routes
answered Jun 7 at 14:45
jajojajo
261 bronze badge
add a comment |
For those who come across this thread:
At least in Debian Stretch a little more generic configuration (which won't break on package update) works. We just configure network statically with a script in init-premount:
vi /etc/initramfs-tools/scripts/init-premount/static-routes
#!/bin/sh
# /etc/initramfs-tools/scripts/init-premount/static-routes
# to avoid race condition
# we have to wait until the automatic network configuration via dhcp
# is finished
sleep 15
ip a add 192.168.0.18/32 dev eth0
ip route add 192.168.178.1 dev eth0
ip route add default via 192.168.178.1 dev eth0
exit 0
chmod 755 /etc/initramfs-tools/scripts/init-premount/static-routes
answered Jun 7 at 14:45
jajojajo
261 bronze badge
add a comment |
For those who come across this thread:
At least in Debian Stretch a little more generic configuration (which won't break on package update) works. We just configure network statically with a script in init-premount:
vi /etc/initramfs-tools/scripts/init-premount/static-routes
#!/bin/sh
# /etc/initramfs-tools/scripts/init-premount/static-routes
# to avoid race condition
# we have to wait until the automatic network configuration via dhcp
# is finished
sleep 15
ip a add 192.168.0.18/32 dev eth0
ip route add 192.168.178.1 dev eth0
ip route add default via 192.168.178.1 dev eth0
exit 0
chmod 755 /etc/initramfs-tools/scripts/init-premount/static-routes
answered Jun 7 at 14:45
jajojajo
261 bronze badge
For those who come across this thread:
At least in Debian Stretch a little more generic configuration (which won't break on package update) works. We just configure network statically with a script in init-premount:
vi /etc/initramfs-tools/scripts/init-premount/static-routes
#!/bin/sh
# /etc/initramfs-tools/scripts/init-premount/static-routes
# to avoid race condition
# we have to wait until the automatic network configuration via dhcp
# is finished
sleep 15
ip a add 192.168.0.18/32 dev eth0
ip route add 192.168.178.1 dev eth0
ip route add default via 192.168.178.1 dev eth0
exit 0
chmod 755 /etc/initramfs-tools/scripts/init-premount/static-routes
answered Jun 7 at 14:45
jajojajo
261 bronze badge
answered Jun 7 at 14:45
jajojajo
261 bronze badge
answered Jun 7 at 14:45
jajojajo
261 bronze badge
answered Jun 7 at 14:45
jajojajo
261 bronze badge
261 bronze badge
add a comment |
add a comment |
had same problem / small discussion with tech support that it cannot be that the initramfs fails only in Hetzner cloud instances like this.
But Hetzner Support repeately states only that their DHCP server are compliant to RFC3442 which announces the default host route to the internal cloud GW. So this must be a problem of the initramfs dhcp client and they couldn't (wouldn't ?) try setup a perhaps possible BootP response e.g. with the right IP=... parameter.
I suggested to update their documentation for this but it seems the "feel free to use our wiki for documentation" ...
The (marketing ;) ... ) answer here is then not right:
Hetzner_OL 6 months ago [-]
Thanks for the suggestion about Docker/dbaas. I have passed it on to
our development team. We don't usually publish what new products and
features we are developing until they are ready, but we will continue
to post information about upgrades as they develop.
Regarding the DSGVO: Do you support encryption of the filesystem? ->
Hetzner Cloud servers are fully virtualized. So the customer can even
fully encrypt the whole server. --Katie, Marketing, Hetzner Online
I tried finding questions/solutions for this problem but the only match I found today is your question ;)
Your referenced answer for setup the interface is partly correct. But from question it wasn't clear that he also needs a static host route to the gateway so it's missing in the answer.
My quick solution of the problem is to patch manually the needed function like this "dynamically" - you can check all your variables in /run/net-ens3.conf:
root@image-debian-jessie-94 ~ # diff -p /usr/share/initramfs-tools/scripts/functions.orig,
*** /usr/share/initramfs-tools/scripts/functions.orig 2018-07-31 12:46:40.911167456 +0200
--- /usr/share/initramfs-tools/scripts/functions 2018-07-31 12:50:30.736742035 +0200
*************** configure_networking()
*** 274,279 ****
--- 274,284 ----
# ipconfig should have quit after first response
. /run/net-*.conf
fi
+
+ # Hack for Hetzner vServer static route enhanced like shown partly in this answer:
+ # https://serverfault.com/questions/909040/static-route-in-initramfs
+ ip route add $IPV4GATEWAY/$IPV4NETMASK dev $DEVICE
+ ip route add default via $IPV4GATEWAY dev $DEVICE
}
# Wait for queued kernel/udev events
Tested and worked fine for me. I could setup / snapshot the smallest image.
The encrypted snapshot is ~18 GB compared to 0,5 GB unencrypted but snapshot price is still fine compared to improved security (normally Openstack based systems could/should have a key manager service which can this transparently. ;)
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:SERVER_USER="root"DEBIAN_VER="9"SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"
– Reiner030
Feb 27 at 21:13
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)"$SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a
– Reiner030
Feb 27 at 21:19
add a comment |
had same problem / small discussion with tech support that it cannot be that the initramfs fails only in Hetzner cloud instances like this.
But Hetzner Support repeately states only that their DHCP server are compliant to RFC3442 which announces the default host route to the internal cloud GW. So this must be a problem of the initramfs dhcp client and they couldn't (wouldn't ?) try setup a perhaps possible BootP response e.g. with the right IP=... parameter.
I suggested to update their documentation for this but it seems the "feel free to use our wiki for documentation" ...
The (marketing ;) ... ) answer here is then not right:
Hetzner_OL 6 months ago [-]
Thanks for the suggestion about Docker/dbaas. I have passed it on to
our development team. We don't usually publish what new products and
features we are developing until they are ready, but we will continue
to post information about upgrades as they develop.
Regarding the DSGVO: Do you support encryption of the filesystem? ->
Hetzner Cloud servers are fully virtualized. So the customer can even
fully encrypt the whole server. --Katie, Marketing, Hetzner Online
I tried finding questions/solutions for this problem but the only match I found today is your question ;)
Your referenced answer for setup the interface is partly correct. But from question it wasn't clear that he also needs a static host route to the gateway so it's missing in the answer.
My quick solution of the problem is to patch manually the needed function like this "dynamically" - you can check all your variables in /run/net-ens3.conf:
root@image-debian-jessie-94 ~ # diff -p /usr/share/initramfs-tools/scripts/functions.orig,
*** /usr/share/initramfs-tools/scripts/functions.orig 2018-07-31 12:46:40.911167456 +0200
--- /usr/share/initramfs-tools/scripts/functions 2018-07-31 12:50:30.736742035 +0200
*************** configure_networking()
*** 274,279 ****
--- 274,284 ----
# ipconfig should have quit after first response
. /run/net-*.conf
fi
+
+ # Hack for Hetzner vServer static route enhanced like shown partly in this answer:
+ # https://serverfault.com/questions/909040/static-route-in-initramfs
+ ip route add $IPV4GATEWAY/$IPV4NETMASK dev $DEVICE
+ ip route add default via $IPV4GATEWAY dev $DEVICE
}
# Wait for queued kernel/udev events
Tested and worked fine for me. I could setup / snapshot the smallest image.
The encrypted snapshot is ~18 GB compared to 0,5 GB unencrypted but snapshot price is still fine compared to improved security (normally Openstack based systems could/should have a key manager service which can this transparently. ;)
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:SERVER_USER="root"DEBIAN_VER="9"SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"
– Reiner030
Feb 27 at 21:13
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)"$SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a
– Reiner030
Feb 27 at 21:19
add a comment |
had same problem / small discussion with tech support that it cannot be that the initramfs fails only in Hetzner cloud instances like this.
But Hetzner Support repeately states only that their DHCP server are compliant to RFC3442 which announces the default host route to the internal cloud GW. So this must be a problem of the initramfs dhcp client and they couldn't (wouldn't ?) try setup a perhaps possible BootP response e.g. with the right IP=... parameter.
I suggested to update their documentation for this but it seems the "feel free to use our wiki for documentation" ...
The (marketing ;) ... ) answer here is then not right:
Hetzner_OL 6 months ago [-]
Thanks for the suggestion about Docker/dbaas. I have passed it on to
our development team. We don't usually publish what new products and
features we are developing until they are ready, but we will continue
to post information about upgrades as they develop.
Regarding the DSGVO: Do you support encryption of the filesystem? ->
Hetzner Cloud servers are fully virtualized. So the customer can even
fully encrypt the whole server. --Katie, Marketing, Hetzner Online
I tried finding questions/solutions for this problem but the only match I found today is your question ;)
Your referenced answer for setup the interface is partly correct. But from question it wasn't clear that he also needs a static host route to the gateway so it's missing in the answer.
My quick solution of the problem is to patch manually the needed function like this "dynamically" - you can check all your variables in /run/net-ens3.conf:
root@image-debian-jessie-94 ~ # diff -p /usr/share/initramfs-tools/scripts/functions.orig,
*** /usr/share/initramfs-tools/scripts/functions.orig 2018-07-31 12:46:40.911167456 +0200
--- /usr/share/initramfs-tools/scripts/functions 2018-07-31 12:50:30.736742035 +0200
*************** configure_networking()
*** 274,279 ****
--- 274,284 ----
# ipconfig should have quit after first response
. /run/net-*.conf
fi
+
+ # Hack for Hetzner vServer static route enhanced like shown partly in this answer:
+ # https://serverfault.com/questions/909040/static-route-in-initramfs
+ ip route add $IPV4GATEWAY/$IPV4NETMASK dev $DEVICE
+ ip route add default via $IPV4GATEWAY dev $DEVICE
}
# Wait for queued kernel/udev events
Tested and worked fine for me. I could setup / snapshot the smallest image.
The encrypted snapshot is ~18 GB compared to 0,5 GB unencrypted but snapshot price is still fine compared to improved security (normally Openstack based systems could/should have a key manager service which can this transparently. ;)
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
had same problem / small discussion with tech support that it cannot be that the initramfs fails only in Hetzner cloud instances like this.
But Hetzner Support repeately states only that their DHCP server are compliant to RFC3442 which announces the default host route to the internal cloud GW. So this must be a problem of the initramfs dhcp client and they couldn't (wouldn't ?) try setup a perhaps possible BootP response e.g. with the right IP=... parameter.
I suggested to update their documentation for this but it seems the "feel free to use our wiki for documentation" ...
The (marketing ;) ... ) answer here is then not right:
Hetzner_OL 6 months ago [-]
Thanks for the suggestion about Docker/dbaas. I have passed it on to
our development team. We don't usually publish what new products and
features we are developing until they are ready, but we will continue
to post information about upgrades as they develop.
Regarding the DSGVO: Do you support encryption of the filesystem? ->
Hetzner Cloud servers are fully virtualized. So the customer can even
fully encrypt the whole server. --Katie, Marketing, Hetzner Online
I tried finding questions/solutions for this problem but the only match I found today is your question ;)
Your referenced answer for setup the interface is partly correct. But from question it wasn't clear that he also needs a static host route to the gateway so it's missing in the answer.
My quick solution of the problem is to patch manually the needed function like this "dynamically" - you can check all your variables in /run/net-ens3.conf:
root@image-debian-jessie-94 ~ # diff -p /usr/share/initramfs-tools/scripts/functions.orig,
*** /usr/share/initramfs-tools/scripts/functions.orig 2018-07-31 12:46:40.911167456 +0200
--- /usr/share/initramfs-tools/scripts/functions 2018-07-31 12:50:30.736742035 +0200
*************** configure_networking()
*** 274,279 ****
--- 274,284 ----
# ipconfig should have quit after first response
. /run/net-*.conf
fi
+
+ # Hack for Hetzner vServer static route enhanced like shown partly in this answer:
+ # https://serverfault.com/questions/909040/static-route-in-initramfs
+ ip route add $IPV4GATEWAY/$IPV4NETMASK dev $DEVICE
+ ip route add default via $IPV4GATEWAY dev $DEVICE
}
# Wait for queued kernel/udev events
Tested and worked fine for me. I could setup / snapshot the smallest image.
The encrypted snapshot is ~18 GB compared to 0,5 GB unencrypted but snapshot price is still fine compared to improved security (normally Openstack based systems could/should have a key manager service which can this transparently. ;)
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
answered Aug 2 '18 at 19:17
Reiner030Reiner030
335 bronze badges
335 bronze badges
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:SERVER_USER="root"DEBIAN_VER="9"SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"
– Reiner030
Feb 27 at 21:13
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)"$SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a
– Reiner030
Feb 27 at 21:19
add a comment |
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:SERVER_USER="root"DEBIAN_VER="9"SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"
– Reiner030
Feb 27 at 21:13
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)"$SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a
– Reiner030
Feb 27 at 21:19
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:
SERVER_USER="root" DEBIAN_VER="9" SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"– Reiner030
Feb 27 at 21:13
To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts:
SERVER_USER="root" DEBIAN_VER="9" SSH_CALL="sshpass -p $SERVER_PASS ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes $SERVER_USER@$SERVER_IP"– Reiner030
Feb 27 at 21:13
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)" $SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a– Reiner030
Feb 27 at 21:19
DEBIAN_IMAGE="$($SSH_CALL ls /root/.oldroot/nfs/install/../images/Debian-$DEBIAN_VER*-minimal.tar.gz | sort | tail -1)" $SSH_CALL /root/.oldroot/nfs/install/installimage -n $MINION_ID -i $DEBIAN_IMAGE -p /boot:ext3:512M,lvm:VGcrypt:1536M -v VGcrypt:root:/:ext4:1500M -b grub -r no -g -d sda -s en -a– Reiner030
Feb 27 at 21:19
add a comment |
jajo's answer starts on the right track, but it misses a few key things. Here is how I got this to work on Ubuntu Bionic without having to patch any files (meaning, this method isn't susceptible to being broken by an update):
initramfs-toolsscripts need to start with some boilerplate that hooks into its system; otherwise, the script will run at initramfs generation time, which is not what we want:#!/bin/sh
PREREQ=""
prereqs()
echo "$PREREQ"
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
# Begin real processing below this lineInvoke the
configure_networkingfunction right before adding the route. This causes the default network configuration to happen first, which would otherwise clobber any settings created by the script if it were to run later. The function creates some files in/run/, which make the second invocation (from the busybox-initramfs hook) do nothing.configure_networkingAdd the static routes, as in jajo's answer. If you are not configuring an IP address using e.g. a kernel command-line parameter, then add that here too.
ip route add 1.2.3.4 dev ens3
ip route add default via 1.2.3.4 dev ens3
exit 0
As in jojo's answer, the file above should be placed in /etc/initramfs-tools/scripts/init-premount/static-routes, and made executable.
One more thing worth noting is that klibc has recently implemented support for RFC3442 (classless static routes in DHCP); so, if your service provider is announcing the necessity for these routes in their DHCP configuration, it's possible that you may not need this script in the latest Debian/Ubuntu versions.
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
add a comment |
jajo's answer starts on the right track, but it misses a few key things. Here is how I got this to work on Ubuntu Bionic without having to patch any files (meaning, this method isn't susceptible to being broken by an update):
initramfs-toolsscripts need to start with some boilerplate that hooks into its system; otherwise, the script will run at initramfs generation time, which is not what we want:#!/bin/sh
PREREQ=""
prereqs()
echo "$PREREQ"
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
# Begin real processing below this lineInvoke the
configure_networkingfunction right before adding the route. This causes the default network configuration to happen first, which would otherwise clobber any settings created by the script if it were to run later. The function creates some files in/run/, which make the second invocation (from the busybox-initramfs hook) do nothing.configure_networkingAdd the static routes, as in jajo's answer. If you are not configuring an IP address using e.g. a kernel command-line parameter, then add that here too.
ip route add 1.2.3.4 dev ens3
ip route add default via 1.2.3.4 dev ens3
exit 0
As in jojo's answer, the file above should be placed in /etc/initramfs-tools/scripts/init-premount/static-routes, and made executable.
One more thing worth noting is that klibc has recently implemented support for RFC3442 (classless static routes in DHCP); so, if your service provider is announcing the necessity for these routes in their DHCP configuration, it's possible that you may not need this script in the latest Debian/Ubuntu versions.
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
add a comment |
jajo's answer starts on the right track, but it misses a few key things. Here is how I got this to work on Ubuntu Bionic without having to patch any files (meaning, this method isn't susceptible to being broken by an update):
initramfs-toolsscripts need to start with some boilerplate that hooks into its system; otherwise, the script will run at initramfs generation time, which is not what we want:#!/bin/sh
PREREQ=""
prereqs()
echo "$PREREQ"
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
# Begin real processing below this lineInvoke the
configure_networkingfunction right before adding the route. This causes the default network configuration to happen first, which would otherwise clobber any settings created by the script if it were to run later. The function creates some files in/run/, which make the second invocation (from the busybox-initramfs hook) do nothing.configure_networkingAdd the static routes, as in jajo's answer. If you are not configuring an IP address using e.g. a kernel command-line parameter, then add that here too.
ip route add 1.2.3.4 dev ens3
ip route add default via 1.2.3.4 dev ens3
exit 0
As in jojo's answer, the file above should be placed in /etc/initramfs-tools/scripts/init-premount/static-routes, and made executable.
One more thing worth noting is that klibc has recently implemented support for RFC3442 (classless static routes in DHCP); so, if your service provider is announcing the necessity for these routes in their DHCP configuration, it's possible that you may not need this script in the latest Debian/Ubuntu versions.
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
jajo's answer starts on the right track, but it misses a few key things. Here is how I got this to work on Ubuntu Bionic without having to patch any files (meaning, this method isn't susceptible to being broken by an update):
initramfs-toolsscripts need to start with some boilerplate that hooks into its system; otherwise, the script will run at initramfs generation time, which is not what we want:#!/bin/sh
PREREQ=""
prereqs()
echo "$PREREQ"
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
# Begin real processing below this lineInvoke the
configure_networkingfunction right before adding the route. This causes the default network configuration to happen first, which would otherwise clobber any settings created by the script if it were to run later. The function creates some files in/run/, which make the second invocation (from the busybox-initramfs hook) do nothing.configure_networkingAdd the static routes, as in jajo's answer. If you are not configuring an IP address using e.g. a kernel command-line parameter, then add that here too.
ip route add 1.2.3.4 dev ens3
ip route add default via 1.2.3.4 dev ens3
exit 0
As in jojo's answer, the file above should be placed in /etc/initramfs-tools/scripts/init-premount/static-routes, and made executable.
One more thing worth noting is that klibc has recently implemented support for RFC3442 (classless static routes in DHCP); so, if your service provider is announcing the necessity for these routes in their DHCP configuration, it's possible that you may not need this script in the latest Debian/Ubuntu versions.
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
answered 22 hours ago
Vladimir PanteleevVladimir Panteleev
9553 gold badges12 silver badges30 bronze badges
9553 gold badges12 silver badges30 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f915118%2fubuntu-full-disc-encryption-on-hetzner-cloud-adding-add-static-route-in-initramf%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
