Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.25] - Stop using legacy iptables for svclb pods #7236

Closed
galal-hussein opened this issue Apr 6, 2023 · 1 comment
Closed

[Release-1.25] - Stop using legacy iptables for svclb pods #7236

galal-hussein opened this issue Apr 6, 2023 · 1 comment
Assignees
@galal-hussein @mdrahman-suse @fmoral2
Milestone
v1.25.9+k3s1

Comments

@galal-hussein
Copy link
Contributor

Backport fix for Stop using legacy iptables for svclb pods
@galal-hussein galal-hussein self-assigned this Apr 6, 2023
@galal-hussein galal-hussein mentioned this issue Apr 6, 2023
Merged
@caroline-suse-rancher caroline-suse-rancher added this to the v1.25.9+k3s1 milestone Apr 10, 2023
@fmoral2
Copy link
Contributor

fmoral2 commented Apr 12, 2023
edited

Validated on Version:

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu 22.04
CENTOS 7
SLES 15 SP4

Cluster Configuration:
1 node

Config.yaml 1 server node :

cat /etc/rancher/k3s/config.yaml
write-kubeconfig-mode: 644
token: <>

Steps to validate the fix:

  1. Create 3 nodes with 3 different OS
  2. Check lsmod for nf_tables and ip_tables
  3. Check klipper-lb version
  4. Upgrade and check again lsmod

Validation Results:

             
~$ cat /etc/os-release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
DOCUMENTATION_URL="https://documentation.suse.com/"

~$ k3s --version
k3s version v1.25.8+k3s-540d19b0 (540d19b0)
go version go1.19.7

~$ kubectl -n kube-system describe pod svclb-traefik | grep rancher/klipper-lb
    Image:          rancher/klipper-lb:v0.4.3




~$ lsmod | grep "nf_tables"
~$


lsmod | grep "ip_tables"
ip_tables              32768  3 iptable_filter,iptable_nat,iptable_mangle



kubectl logs -n kube-system svclb-traefik-568763df-wmnh2  lb-tcp-443 |grep legacy
+ mode=legacy
+ info 'legacy mode detected'
+ echo '[INFO] ' 'legacy mode detected'
+ set_legacy
+ ln -sf /sbin/xtables-legacy-multi /sbin/iptables
[INFO]  legacy mode detected
+ ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save
+ ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore
+ ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables










------------



~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

~$ k3s --version
k3s version v1.25.8+k3s-540d19b0 (540d19b0)
go version go1.19.7



~$ kubectl -n kube-system describe pod svclb-traefik-439b8d53-qbnrl | grep rancher/klipper-lb:
    Image:          rancher/klipper-lb:v0.4.3
    Image:          rancher/klipper-lb:v0.4.3
    
    
~$ lsmod | grep "nf_tables"
nf_tables             245760  475 nft_compat,nft_counter,nft_chain_nat,nft_limit
nfnetlink              20480  5 nft_compat,nf_conntrack_netlink,nf_tables,ip_set,nfnetlink_log
libcrc32c              16384  4 nf_conntrack,nf_nat,nf_tables,ip_vs    
    
 ~$ lsmod | grep "ip_tables"
ip_tables              32768  2 iptable_filter,iptable_nat

   

~$ kubectl logs -n kube-system svclb-traefik-439b8d53-6gcz4  lb-tcp-443 | grep legacy
~$

    
######  Update to v1.26.3+k3s1  #######

~$ k3s --version
k3s version v1.26.3+k3s1 (01ea3ff2)
go version go1.19.7


$ kubectl -n kube-system describe pod svclb-traefik-439b8d53-qbnrl | grep rancher/klipper-lb:
    Image:          rancher/klipper-lb:v0.4.3
    Image:          rancher/klipper-lb:v0.4.3
    
    
~$ lsmod | grep "nf_tables"
nf_tables             245760  480 nft_compat,nft_counter,nft_chain_nat,nft_limit
nfnetlink              20480  5 nft_compat,nf_conntrack_netlink,nf_tables,ip_set,nfnetlink_log
libcrc32c              16384  4 nf_conntrack,nf_nat,nf_tables,ip_vs
   
~$ lsmod | grep "ip_tables"
ip_tables              32768  2 iptable_filter,iptable_nat

   

~$ kubectl logs -n kube-system svclb-traefik-439b8d53-6gcz4  lb-tcp-443 | grep legacy
~$






-------------



-$ k3s --version
k3s version v1.25.8+k3s-540d19b0 (540d19b0)
go version go1.19.7

~$ cat /etc/os-release

~$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"





~$ kubectl logs -n kube-system svclb-traefik-98a7617e-4lwrz lb-tcp-443 |grep nft
~$ 

~$  lsmod | grep "nf_tables"
~$ 


~$  lsmod | grep "ip_tables"
~$ lsmod | grep "ip_tables"
ip_tables              27126  3 iptable_filter,iptable_mangle,iptable_nat


~$ kubectl logs -n kube-system svclb-traefik-98a7617e-4lwrz lb-tcp-443 |grep "legacy"
+ mode=legacy
+ info 'legacy mode detected'
+ echo '[INFO] ' 'legacy mode detected'
+ set_legacy
+ ln -sf /sbin/xtables-legacy-multi /sbin/iptables
[INFO]  legacy mode detected
+ ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save
+ ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore
+ ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables


~$ kubectl -n kube-system describe pod svclb-traefik | grep rancher/klipper-lb
    Image:          rancher/klipper-lb:v0.4.3
    Image ID:       docker.io/rancher/klipper-lb@sha256:2b963c02974155f7e9a51c54b91f09099e48b4550689aadb595e62118e045c10
    Image:          rancher/klipper-lb:v0.4.3
    Image ID:       docker.io/rancher/klipper-lb@sha256:2b963c02974155f7e9a51c54b91f09099e48b4550689aadb595e62118e045c10
  Normal  Pulling    3m8s  kubelet            Pulling image "rancher/klipper-lb:v0.4.3"
  Normal  Pulled     3m7s  kubelet            Successfully pulled image "rancher/klipper-lb:v0.4.3" in 1.498320289s (1.498332342s including waiting)
  Normal  Pulled     3m6s  kubelet            Container image "rancher/klipper-lb:v0.4.3" already present on machine

@fmoral2 fmoral2 closed this as completed Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@galal-hussein galal-hussein

@mdrahman-suse mdrahman-suse

@fmoral2 fmoral2

Labels
None yet
Projects
K3s Development
Archived in project
Milestone
v1.25.9+k3s1
Development

No branches or pull requests
5 participants
@galal-hussein @ShylajaDevadiga @mdrahman-suse @caroline-suse-rancher @fmoral2