New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why CILIUM is still using NOTRACK Kernal Module #17745
Comments
The Maybe WSL2 is missing that second config or maybe the module is not loaded? |
With #17751, we'll be using |
running cilium 1.11.0 on wsl2(kernel version 5.10.60.1-microsoft-standard-WSL2) still having trouble @pchaigno level=error msg="Command execution failed" cmd="[iptables -w 5 -t raw -A CILIUM_PRE_raw -m mark --mark 0x00000200/0x00000f00 -m comment --comment cilium: NOTRACK for proxy traffic -j CT --notrack]" error="exit status 2" subsys=iptables
level=warning msg="iptables v1.8.4 (legacy): unknown option \"--notrack\"" subsys=iptables
level=warning msg="Try `iptables -h' or 'iptables --help' for more information." subsys=iptables
level=fatal msg="Error while creating daemon" error="error while initializing daemon: cannot add static proxy rules: exit status 2" subsys=daemon
level=info msg="regenerating all endpoints" reason="kube-apiserver identity updated" subsys=endpoint-manager |
Is |
Ok I got Cilium and KinD working on WSL2, but I had to compile my own WSL kernel to do it because there are some things in there that as @pchaigno said aren't enabled. This is for the latest at the time of this message, 5.10.60.1. The steps at a high level are:
Run a Docker Container to build your stuffOpen up a PowerShell terminal:
from inside the container (now bash):
Copy that kernel image out of thereOpen up a new PowerShell terminal:
This should put it in your Tell WSL2 to use your new kernelEdit
keep the double slashes. Shut down WSL (in PowerShell: Credit goes to the TKG Community Edition team for easy-to-follow WSL kernel instructions. Those are here and obviously I cribbed it all for this. |
I could compile the latest WSL kernel (5.10.102.1), from ubuntu22.04 builder, and it was available in WSL2-kind. Build-instructions(Official)I had installed packages according to build-instructions. But, it is missing some packages. apt-get update && apt-get install -y build-essential flex bison dwarves libssl-dev libelf-dev
make -j2 KCONFIG_CONFIG=Microsoft/config-wsl
#[1] add python-is-python3
/usr/bin/env: 'python3': No such file or directory
#[2] add bc
/bin/sh: 1: bc: not found Build-instructions(After all)We can compile the package by installing it apt-get update && apt-get install -y build-essential flex bison dwarves libssl-dev libelf-dev python-is-python3 bc
make -j 7 KCONFIG_CONFIG=Microsoft/config-wsl note: I am removing the git package, because I am using gitlab-ci. Sample:
|
I am trying to Install CILIUM on windows with WSL2.
When I am installing with L7 Proxy I am getting below exception.
level=error msg="Command execution failed" cmd="[iptables -w 5 -t raw -A CILIUM_PRE_raw -m mark --mark 0x00000200/0x00000f00 -m comment --comment cilium: NOTRACK for proxy traffic -j NOTRACK]" error="exit status 2" subsys=iptables
level=warning msg="**iptables v1.8.4 (legacy): Couldn't load target
NOTRACK':No such file or directory**" subsys=iptables level=warning subsys=iptables level=warning msg="Try
iptables -h' or 'iptables --help' for more information." subsys=iptableslevel=error msg="Error while initializing daemon" error="cannot add static proxy rules: exit status 2" subsys=daemon
I check CILIUM IPTABLE Rules File is is giving this Error.
https://github.com/cilium/cilium/blob/master/pkg/datapath/iptables/iptables.go#L605
Linux WSL2 Configuration says they no longer support NOTRACK.
https://github.com/microsoft/WSL2-Linux-Kernel/blob/linux-msft-wsl-4.19.y/net/netfilter/Kconfig#L973
Not able to get around this workflow without disabling L7 Proxy. Which is impacting the visibilty of my PODS.
The text was updated successfully, but these errors were encountered: