Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing kernel config check #10099

Closed
zouxianyu opened this issue May 15, 2024 · 1 comment
Closed

missing kernel config check #10099

zouxianyu opened this issue May 15, 2024 · 1 comment
Assignees
@brandond @mdrahman-suse
Milestone
v1.30.2+k3s1

Comments

@zouxianyu
Copy link
Contributor

Environmental Info:
K3s Version:

k3s version v1.29.4+k3s1 (94e29e2)
go version go1.21.9

Node(s) CPU architecture, OS, and Version:

Linux master 5.10.110 #1 SMP Mon May 13 02:09:12 PDT 2024 aarch64 aarch64 aarch64 GNU/Linux

Cluster Configuration:

1 server, 1 agent

Describe the bug:

k3s won't start. Here are some error messages taken from journalctl -u k3s.

master k3s[2242]: E0515 06:41:43.060036    2242 proxier.go:1525] "Failed to execute iptables-restore" err=<
master k3s[2242]:         exit status 2: iptables-restore v1.8.7 (legacy): Couldn't load target `REJECT':No such file or directory
master k3s[2242]:
master k3s[2242]:         Error occurred at line: 9
master k3s[2242]:         Try `iptables-restore -h' or 'iptables-restore --help' for more information.
master k3s[2242]:  >

Linux kernel needs to enable CONFIG_IP_NF_TARGET_REJECT, but check-config.sh doesn't check for it.

Steps To Reproduce:

  • Installed K3s

Expected behavior:

All Pods in the kube-system namespace run normally.

Actual behavior:

Some Pods don't work properly.

root@master:~$ kubectl get pod -A
NAMESPACE     NAME                                      READY   STATUS             RESTARTS         AGE
kube-system   coredns-7b6586dfcd-n6cn5                  0/1     Running            0                46m
kube-system   metrics-server-754c646885-vrbql           0/1     CrashLoopBackOff   12 (3m11s ago)   46m
kube-system   local-path-provisioner-77db45d49b-59fmt   0/1     CrashLoopBackOff   12 (3m19s ago)   46m
kube-system   helm-install-traefik-5skn2                0/1     CrashLoopBackOff   8 (3m5s ago)     46m
kube-system   helm-install-traefik-crd-r47zd            0/1     CrashLoopBackOff   8 (2m56s ago)    46m

Additional context / logs:
@zouxianyu zouxianyu mentioned this issue May 15, 2024
Merged
@brandond brandond added this to the v1.30.2+k3s1 milestone May 24, 2024
@brandond brandond self-assigned this May 24, 2024
This was referenced May 24, 2024
Closed
Closed
Closed
@mdrahman-suse
Copy link

mdrahman-suse commented Jun 7, 2024
edited

Validated on master branch with commit cff6f7a

Environment

$ uname -a
Linux server1 6.2.0-1012-aws #12~22.04.1-Ubuntu SMP Thu Sep  7 16:00:15 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

Single server

Testing

  • Install k3s
  • Ensure cluster is up and running
  • Run k3s check-config
  • Validate CONFIG_IP_NF_TARGET_REJECT is present and enabled

Replication

$ k3s -v
k3s version v1.30.1+k3s1 (80978b5b)
go version go1.22.2

$ k3s check-config
cat: /sys/kernel/security/apparmor/profiles: Permission denied

Verifying binaries in /var/lib/rancher/k3s/data/019fb8bac4d619f2f3682a8aef4f460c4759bd4d1510b12b05b498936e75da14/bin:
- sha256sum: good
- links: good

System:
- /usr/sbin iptables v1.8.7 (nf_tables): ok
- swap: disabled
- routes: ok

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

modprobe: FATAL: Module configs not found in directory /lib/modules/6.2.0-1012-aws
info: reading kernel config from /boot/config-6.2.0-1012-aws ...

Generally Necessary:
- cgroup hierarchy: cgroups V2 mounted, cpu|cpuset|memory controllers status: good
- /usr/sbin/apparmor_parser
apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_MULTIPORT: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled
...
STATUS: pass

Validation

$ k3s -v
k3s version v1.30.1+k3s-cff6f7aa (cff6f7aa)
go version go1.22.2

$ k3s check-config
cat: /sys/kernel/security/apparmor/profiles: Permission denied

Verifying binaries in /var/lib/rancher/k3s/data/93dbdeb1dc09ec65c4f3c32bec85f633fc72dd538f97dddd1607d03b428bb994/bin:
- sha256sum: good
- links: good

System:
- /usr/sbin iptables v1.8.7 (nf_tables): ok
- swap: disabled
- routes: ok

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

modprobe: FATAL: Module configs not found in directory /lib/modules/6.2.0-1012-aws
info: reading kernel config from /boot/config-6.2.0-1012-aws ...

Generally Necessary:
- cgroup hierarchy: cgroups V2 mounted, cpu|cpuset|memory controllers status: good
- /usr/sbin/apparmor_parser
apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_IP_NF_TARGET_REJECT: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_MULTIPORT: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled
...
STATUS: pass

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@mdrahman-suse mdrahman-suse

Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
v1.30.2+k3s1
Development

No branches or pull requests
3 participants
@brandond @zouxianyu @mdrahman-suse