Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traffic-agent using incompatible iptables-variant (legacy instead of nft) #3542

Open
glooms opened this issue Mar 13, 2024 · 4 comments
Open

Comments

@glooms
Copy link

glooms commented Mar 13, 2024

The OS we're using for our clusters AlmaLinux 9.1 doesn't support iptables-legacy, only iptables-nft, which surfaced as an unintelligible error asking us to update the kernel.

The fix was quite simple, we just did a derivative of the Dockerfile.traffic where we symlink iptables to /sbin/xtables-nft-multi (what iptables was originally pointing to), like so:

FROM docker.io/datawire/tel2:2.18.0

RUN ln -sf /sbin/xtables-nft-multi /sbin/iptables
RUN ln -sf /sbin/xtables-nft-multi /sbin/ip6tables

ENTRYPOINT ["traffic"]
CMD []

Albeit the fix is quite simple it was very hard to find so it might be good to solve it or at the very least to add it to your troubleshooting section as it might be useful for others.

@cindymullins-dw
Copy link
Collaborator

Thanks, @glooms . That's a great bit of feedback and a fix. Much appreciated.

@cindymullins-dw
Copy link
Collaborator

Hi @glooms , do you recall what error you got when running into this? It would be great to know if you still have access to that or remember what you first saw.

@glooms
Copy link
Author

glooms commented Apr 2, 2024

Hello @cindymullins-dw, the error I get is that the init-container created when doing telepresence intercept <service> crashes with the following logs:

2024-04-02 08:31:52.6682 info    Traffic Agent Init v2.18.0
2024-04-02 08:31:52.6771 error   failed to clear chain TEL_INBOUND_TCP: running [/sbin/iptables -t nat -N TEL_INBOUND_TCP --wait]: exit status 3: iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

2024-04-02 08:31:52.6771 error   quit: failed to clear chain TEL_INBOUND_TCP: running [/sbin/iptables -t nat -N TEL_INBOUND_TCP --wait]: exit status 3: iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

@chris-ng-scmp
Copy link

My cluster worker nodes having the same issue as well after we upgraded the Kernel version from 4.19.91 to 5.10.134

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants