OVH: Custom VPS Installation

From Wiki³
Revision as of 22:22, 29 July 2017 by Kyau (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Icon Introduction

I have personally been using OVH for my hosting for some time now. While they are not necessarily known for their stellar support, if you know what you are doing you can accomplish a lot with OVH. One of the cheaper options at OVH, if you cannot afford or do not need an entire dedicated server all to yourself, is the OVH VPS SSD. With the lowest tier offering starting at around $3.49USD a month, they are very affordable to grab one to play around with for a bit. So for the sake of science, I purchased one of the first tier (VPS SSD 1) and gave it a go. You can find a detailed comparison of a few VPS providers including OVH here.

IconWhile I did this guide with a VPS SSD instance, I also have done this for my dedicated server as well.

Icon OVH Terms & Conditions

After looking through their terms and conditions for the VPS only two things jump out at me in particular.

"OVH reserves the right to limit, filter, suspend or restrict features and protocols (such as IRC or peer to peer file sharing) of the Virtual Private Server to ensure the security of their infrastructure."

This doesn't seem too bad. From the sound of it, if you cripple their network running IRC or p2p based things they reserve the right to firewall you. I can understand that, not like you want to attract script kiddies and DDoS.

"OVH will guarantee a bandwidth of up to 100 Mbps (one hundred megabits per second) as long as the traffic of the bandwidth does not exceed the pre-defined set monthly volume of 10TB (ten terabytes). This monthly volume includes both internal OVH traffic and traffic outside of the OVH network. When the monthly traffic volume exceeds the set monthly volume, the bandwidth of the Virtual Private Server will be limited to 1 Mbps until the next monthly renewal date."

If the monthly transfer limit was not so high I would say this would be a serious deal-breaker. However, given most months I have a hard time hitting even 1TB on my dedicated server I have from them, I do not think this is as serious as it looks unless your planning to run some seriously bandwidth intense tasks.

Icon Setup Time

Setup time for the VPS was not bad but not amazing either. I would say about average for OVH (don't let their 120s activate images on the website fool you).

  • Ordered: Mon, Jul 24, 2017 at 5:37 PM
  • Received: Mon, Jul 24, 2017 at 5:48 PM

Icon VPS Information

Before I scrapped their installation of Arch Linux I took a look around at the VPS installation a bit.

# dmidecode -s system-product-name && dmidecode -s chassis-manufacturer


OpenStack Nova
QEMU

This was a nice surprise, good on them for using OpenStack.

# uname -a


Linux XXX.vps.ovh.ca 4.11.9-1-ARCH #1 SMP PREEMPT Wed Jul 5 18:23:08 CEST 2017 x86_64 GNU/Linux

Doesn't get any more current than that for an Arch install as that is the current kernel as of writing this.

# cat /boot/grub/grub.cfg | grep vmlinuz


linux/boot/vmlinuz-linux root=UUID=52d0c25c-2e4e-473b-81eb-56b46711a793 rw console=tty0 console=ttyS0,115200 quiet

Looks like extra entries to the kernel options on boot, if I had to guess I would say it is probably for the included KVM support. Making a note of this for later.

# cat /etc/systemd/network/eth0-dhcp.network


[Match]
Name=eth0

[Network]
DHCP=yes

[DHCP]
UseMTU=true

This is a nice change from the sometimes complicated network configuration of my dedicated. Nice and simple.

For pure curiosity I took a look at how far away I was in the datacenter from my dedicated server.

# ping dark.kyau.net


PING dark.kyau.net (198.245.62.167) 56(84) bytes of data.
64 bytes from dark.kyau.net (198.245.62.167): icmp_seq=1 ttl=58 time=0.490 ms
64 bytes from dark.kyau.net (198.245.62.167): icmp_seq=2 ttl=58 time=0.668 ms
64 bytes from dark.kyau.net (198.245.62.167): icmp_seq=3 ttl=58 time=0.700 ms
64 bytes from dark.kyau.net (198.245.62.167): icmp_seq=4 ttl=58 time=0.658 ms
--- dark.kyau.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3032ms
rtt min/avg/max/mdev = 0.490/0.629/0.700/0.081 ms

Icon Installation

First in order to install Arch Linux from scratch we need to get the VPS net-booted into the OVH Rescue Mode.

Icon Rescue Mode

Enter the OVH Control Panel and select the VPS on the left. There should be a series of buttons on the right side of the screen, one named "Rescue mode". This process will take a few minutes in order to reboot the VPS into rescue mode, the progress of this should be shown in the dashboard. The login details for rescue mode will be emailed to the email address on file with OVH.

IconThis is one of the things I personally hate about OVH, the emailing of login details to the users. There are a lot more secure ways of going about this.

Once the machine has been restarted into rescue mode and login information has been obtained, login over ssh. These additional command line options here will make it so it does not record the hostkey (given that this is about to change once Arch is installed).

# ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no root@X.X.X.X
IconWARNING: The moment you login change the root password with passwd, OVH emails passwords in plain-text which is susceptible to MITM attacks.

Take note of the Debian environment.

Icon Disk Setup

Pull up a list of all of the disks in the system.

# lsblk

You should see the rescue disk mounted and your system disk then mounted into a directory inside of /mnt. The only one we care about is the one mounted inside /mnt. Un-mount this partition.

# unmount /mnt/vdX1

Wipe the current disk so there is no interference.

# dd if=/dev/zero of=/dev/vdX bs=1M count=2048

Wipe the current partition scheme and create a new partition table.

# echo -e "o\nn\np\n1\n\n\na\nw" | fdisk /dev/vdX

Format the root filesystem.

# mkfs.ext4 /dev/vdX1

Be sure to select Y to overwrite the current partition.

Now that the disk is setup, remove the directory OVH created in /mnt and mount the partition.

# rmdir /mnt/vdX1
# mount /dev/vdX1 /mnt

Icon Bootstrap

At this point download the arch-bootstrap.sh script that was created by Arch Linux user tokland. Then give the script the proper permissions.

# wget https://raw.githubusercontent.com/tokland/arch-bootstrap/master/arch-bootstrap.sh
# chmod +x arch-bootstrap.sh
IconGitHub: tokland/arch-bootstrap

Then bootstrap the system.

# ./arch-bootstrap.sh /mnt

As explained at the completion of the bootstrap script, next mount the system partitions. Don't forget the last one added here.

# mount -t proc proc /mnt/proc/
# mount -t sysfs sys /mnt/sys/
# mount -o bind /dev /mnt/dev/

Also install the haveged package, this is used to accelerate entropy generation.

# wget -O /mnt/tmp/haveged.tar.xz https://www.archlinux.org/packages/extra/x86_64/haveged/download/

Icon Chroot

Chroot into the new install.

# chroot /mnt

Extract and run haveged.

# tar xJf /tmp/haveged.tar.xz
# haveged -w 1024

Initialize and populate the Arch Linux pacman keys.

# pacman-key --init
# pacman-key --populate archlinux

Finally re-base the system by running pacman to install Arch Linux.

# pacman -S base base-devel arch-install-scripts git grub-bios openssh sudo vim

Generate an fstab file.

# genfstab / > /etc/fstab

Edit the fstab and add the UUID of the disk, to do so use :r !blkid -s UUID -o value /dev/vdX1.

# lsblk
# vim /etc/fstab

Icon Boot Loader

Use the scripts that come with grub in order to install the boot loader.

# grub-install /dev/vdX

Open up the grub config in vim and add in the kernel options we saw from the OVH install to GRUB_CMDLINE_LINUX_DEFAULT.

# vim /etc/default/grub


GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200 quiet"

Generate the GRUB config.

# grub-mkconfig -o /boot/grub/grub.cfg

Icon Networking

Next create a system service to start up the network.

# vim /etc/systemd/network/eth0-dhcp.network


[Match]
Name=eth0 en*

[Network]
DHCP=yes

[DHCP]
UseMTU=true

Then enable systemd-networkd so that the service is started on boot, also enable the ssh service.

# systemctl enable systemd-networkd
# systemctl enable sshd

Edit the sshd config file to enable public key authentication and disable root login.

# vim /etc/ssh/sshd_config


PermitRootLogin no
PubkeyAuthentication yes

Icon System Settings

Choose a unique hostname for the machine.

# echo "chaos.kyau.net" > /etc/hostname

Set the proper timezone and generate /etc/adjtime. Check the /usr/share/zoneinfo directory for a list of existing zones.

My VPS is in the BHS datacenter so I will use the timezone that applies.

# ln -sf /usr/share/zoneinfo/America/Montreal /etc/localtime

Choose the proper localization and uncomment it from /etc/locale.gen, the defacto English (US) standard is en_US.UTF-8 UTF-8, and then generate the needed localization.
Also add the localization to /etc/locale.conf.

# sed -i 's/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
# locale-gen
# echo "LANG=en_US.UTF-8" > /etc/locale.conf

Set a root password.

# passwd

Create a user account adding it to the wheel group, then give it a password.

# useradd -m -G wheel,systemd-journal -s /bin/bash kyau
# passwd kyau

Make sure the wheel group has sudo access.

# sed -i 's/^# %wheel ALL=(ALL) ALL$/%wheel ALL=(ALL) ALL/' /etc/sudoers

Icon Reboot

Exit out of the chroot environment.

# exit

Navigate back to the Web UI for the OVH VPS and click on the button on the right labeled "Reboot my VPS", this will pull the server back out of rescue mode.

Icon Post-Installation

Once the machine has rebooted and you can see a green light on PING and SSH in the OVH dashboard, ssh back into your machine.

# ssh user@ovh.vps.com

Icon Network Time Protocol

As it is always a good idea to keep the systems date/time in sync, for this use systemd-timesyncd.

# sudo timedatectl set-ntp true

Icon Packages

To find the fastest recently updated mirrors for pacman, install the reflector package.

# sudo pacman -S reflector

Reflector will search through the last 100 updated mirrors that use HTTPS and sort them by download speed and then output the list to /etc/pacman.d/mirrorlist overwriting the current list. This command might take a few minutes depending on internet connection speed and latency.

# sudo reflector --latest 100 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

Enable colored output in pacman.

# sudo sed -i 's/#Color/Color/' /etc/pacman.conf

To install aur:pacaur first manually install cower.

# git clone https://aur.archlinux.org/cower.git
# cd cower && makepkg -si && cd .. && rm -rf cower
IconIf makepkg complains about GPG keys see this pinned comment or use gpg --recv-keys --keyserver hkp://pgp.mit.edu 1EB2638FF56C0C53

Then proceed to install pacaur manually.

# git clone https://aur.archlinux.org/pacaur.git
# cd pacaur && makepkg -si && cd .. && rm -rf pacaur

Perform a full system update.

# pacaur -Syu


Icon See also: Managing Packages