Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.24] Backport changes from master for 2022-12 release #6600

Closed
brandond opened this issue Dec 1, 2022 · 4 comments
Closed

[release-1.24] Backport changes from master for 2022-12 release #6600

brandond opened this issue Dec 1, 2022 · 4 comments
Assignees
@brandond @mdrahman-suse @bguzman-3pillar
Milestone
v1.24.9+k3s1

Comments

@brandond
Copy link
Member

brandond commented Dec 1, 2022
edited
Loading

Backport fixes for the following issues:
@brandond brandond self-assigned this Dec 1, 2022
@brandond brandond added this to the v1.24.9+k3s1 milestone Dec 1, 2022
@brandond brandond mentioned this issue Dec 1, 2022
Merged
@VestigeJ
Copy link

VestigeJ commented Dec 6, 2022
edited
Loading

Clocking in for both rootless allow mtu configuration and selection of the port driver

##Environment Details
COMMIT=dabd995365fc339647485c3a0bee0ab59d88fa7e
VERSION=v1.24.8+k3s1

Infrastructure

  • Cloud

Node(s) CPU architecture, OS, and version:

Linux 5.15.0-1019-aws x86_64 GNU/Linux Ubuntu 22.04.1 LTS

Cluster Configuration:

NAME               STATUS   ROLES                  AGE     VERSION
ip-2-3-8-8   Ready    control-plane,master   5m20s   v1.24.8+k3s1

Rootless with default configuration 

$  curl https://get.k3s.io --output install-k3s.sh
$  sudo chmod +x install-k3s.sh
$  VERSION=v1.24.8+k3s1
$  sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$  wget https://raw.githubusercontent.com/k3s-io/k3s/master/k3s-rootless.service
$  mkdir -p /home/ubuntu/.config/systemd/user/
$  cp k3s-rootless.service /home/ubuntu/.config/systemd/user/k3s-rootless.service
$  printf "[Service]\nDelegate=cpu cpuset io memory pids\n" > delegate.conf
$  sudo mkdir -p /etc/systemd/system/[email protected]/
$  sudo cp ~/delegate.conf /etc/systemd/system/[email protected]/delegate.conf
$  sudo tee -a /etc/modules <<EOF
fuse
tun
tap 
bridge
br_netfilter 
veth
ip_tables
ip6_tables
iptable_nat
ip6table_nat
iptable_filter
ip6table_filter
nf_tables
x_tables
xt_MASQUERADE
xt_addrtype
xt_comment
xt_conntrack
xt_mark
xt_multiport
xt_nat
xt_tcpudp
EOF

$  sudo vim /etc/default/grub
To enable cgroup v2, add systemd.unified_cgroup_hierarchy=1 to the GRUB_CMDLINE_LINUX line in /etc/default/grub and run sudo update-grub
$  sudo update-grub
$  sudo INSTALL_K3S_VERSION=$VERSION INSTALL_K3S_SKIP_ENABLE=true ./install-k3s.sh 
$  sudo cat k3s-rootless.service 
$  sudo vim .config/systemd/user/k3s-rootless.service 
$  printf "net.ipv4.ip_forward=1\n net.ipv6.conf.all.forwarding=1\n" | sudo tee -a /etc/sysctl.conf /dev/null
$  sudo apt update
$  sudo apt install uidmap
$  sudo reboot
$  systemctl --user enable --now k3s-rootless.service
$  systemctl --user status k3s-rootless

$ systemctl --user status k3s-rootless.service

● k3s-rootless.service - k3s (Rootless)
     Loaded: loaded (/home/ubuntu/.config/systemd/user/k3s-rootless.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-12-06 22:54:50 UTC; 2min 4s ago
   Main PID: 1145 (k3s-server)
      Tasks: 183
     Memory: 1.7G
        CPU: 56.632s
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/k3s-rootless.service
             ├─k3s
             │ └─1191 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">
             ├─k3s_evac
             │ ├─1145 "/usr/local/bin/k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">
             │ ├─1157 "/proc/self/exe init" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">
             │ ├─1167 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --cidr 10.41.0.0/16 1157 tap0
             │ ├─1170 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">

$ kgp -A

NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
kube-system   coredns-7b5bbc6644-dg227                  1/1     Running     0          88s
kube-system   local-path-provisioner-687d6d7765-6s2nd   1/1     Running     0          88s
kube-system   helm-install-traefik-crd-m698v            0/1     Completed   0          88s
kube-system   metrics-server-84f8d4c4fc-6pwsr           1/1     Running     0          88s
kube-system   svclb-traefik-54a5e391-d5v2v              2/2     Running     0          55s
kube-system   helm-install-traefik-qlcvl                0/1     Completed   2          88s
kube-system   traefik-6b8f69d897-7bn4b                  1/1     Running     0          55s

Rootless with newer environment variables

**Validated with **
COMMIT=dabd995365fc339647485c3a0bee0ab59d88fa7e

$  curl https://get.k3s.io --output install-k3s.sh
$  sudo chmod +x install-k3s.sh
$  sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$  wget https://raw.githubusercontent.com/k3s-io/k3s/master/k3s-rootless.service
$  mkdir -p /home/ubuntu/.config/systemd/user/
$  cp k3s-rootless.service /home/ubuntu/.config/systemd/user/k3s-rootless.service
$  printf "[Service]\nDelegate=cpu cpuset io memory pids\n" > delegate.conf
$  sudo mkdir -p /etc/systemd/system/[email protected]/
$  sudo cp ~/delegate.conf /etc/systemd/system/[email protected]/delegate.conf
$  sudo tee -a /etc/modules <<EOF
fuse
tun
tap 
bridge
br_netfilter 
veth
ip_tables
ip6_tables
iptable_nat
ip6table_nat
iptable_filter
ip6table_filter
nf_tables
x_tables
xt_MASQUERADE
xt_addrtype
xt_comment
xt_conntrack
xt_mark
xt_multiport
xt_nat
xt_tcpudp
EOF

$  sudo vim /etc/default/grub
$  sudo update-grub
$  COMMIT=dabd995365fc339647485c3a0bee0ab59d88fa7e
$  sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_SKIP_ENABLE=true ./install-k3s.sh 
$  sudo cat k3s-rootless.service 
$  sudo vim .config/systemd/user/k3s-rootless.service 
$  printf "net.ipv4.ip_forward=1\n net.ipv6.conf.all.forwarding=1\n" | sudo tee -a /etc/sysctl.conf /dev/null
$  sudo apt update
$  sudo apt install uidmap
$  sudo reboot
$  systemctl --user enable --now k3s-rootless.service
$  systemctl --user status k3s-rootless

Additional context / logs:

$ systemctl --user status k3s-rootless.service

● k3s-rootless.service - k3s (Rootless)
     Loaded: loaded (/home/ubuntu/.config/systemd/user/k3s-rootless.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-12-06 22:54:27 UTC; 2min 45s ago
   Main PID: 1146 (k3s-server)
      Tasks: 182
     Memory: 1.7G
        CPU: 1min 683ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/k3s-rootless.service
             ├─k3s
             │ └─1192 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─k3s_evac
             │ ├─1146 "/usr/local/bin/k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">
             │ ├─1159 "/proc/self/exe init" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">
             │ ├─1168 slirp4netns --mtu 1499 -r 3 --disable-host-loopback --cidr 10.49.0.0/16 --api-socket /tmp/rootless1622778627/.s4nn.sock --enable-ipv6 1159>
             │ ├─1173 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

$ cat .config/systemd/user/k3s-rootless.service

[Unit]
Description=k3s (Rootless)

[Service]
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=K3S_ROOTLESS_MTU=1499
Environment=K3S_ROOTLESS_CIDR="10.49.0.0/16"
Environment=K3S_ROOTLESS_PORT_DRIVER=slirp4netns
Environment=K3S_ROOTLESS_ENABLE_IPV6=true
# NOTE: Don't try to run `k3s server --rootless` on a terminal, as it doesn't enable cgroup v2 delegation.
# If you really need to try it on a terminal, prepend `systemd-run --user -p Delegate=yes --tty` to create a systemd scope.
ExecStart=/usr/local/bin/k3s server --rootless --snapshotter=fuse-overlayfs
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
KillMode=mixed

[Install]
WantedBy=default.target

@mdrahman-suse
Copy link

mdrahman-suse commented Dec 13, 2022
edited
Loading

Verified in v1.24.9-rc2+k3s1

Update containerd to v1.6.10

Verified in #6641 (comment)

v20.1.1 chart release missing from gh-pages branch / chart repo traefik/traefik-helm-chart#719 
$ sudo k3s ctr i ls | grep 'traefik'
docker.io/rancher/mirrored-library-traefik:2.9.4                                                                   application/vnd.docker.distribution.manifest.list.v2+json sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 36.9 MiB  linux/amd64,linux/arm/v6,linux/arm64/v8,linux/s390x            io.cri-containerd.image=managed
docker.io/rancher/mirrored-library-traefik@sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 application/vnd.docker.distribution.manifest.list.v2+json sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 36.9 MiB  linux/amd64,linux/arm/v6,linux/arm64/v8,linux/s390x            io.cri-containerd.image=managed

$ sudo cat /var/lib/rancher/k3s/server/manifests/traefik.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-20.3.1+up20.3.0.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-20.3.1+up20.3.0.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/mirrored-library-traefik"
      tag: "2.9.4"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"
    service:
      ipFamilyPolicy: "PreferDualStack"
Rootless: Add abillity to select port driver #6488

Followed the steps in here to validate in v1.24.9-rc3+rke2r1: #6600 (comment)

Unexpected server behaviour with --disable-cloud-controller flag #6554
  • Replication:
$ cat /etc/rancher/k3s/config.yaml
write-kubeconfig-mode: 644
token: summer
cluster-init: true
disable-cloud-controller: true

$ k3s -v
k3s version v1.24.8+k3s1 (648004e4)
go version go1.18.8

$ journalctl -u k3s|grep 'securely'
Dec 16 22:03:25 ip-172-31-26-63 k3s[1726]: I1216 22:03:25.857267    1726 secure_serving.go:210] Serving securely on 127.0.0.1:6444
Dec 16 22:03:30 ip-172-31-26-63 k3s[1726]: I1216 22:03:30.245004    1726 secure_serving.go:210] Serving securely on 127.0.0.1:10259
Dec 16 22:03:30 ip-172-31-26-63 k3s[1726]: I1216 22:03:30.404657    1726 secure_serving.go:210] Serving securely on 127.0.0.1:10257
Dec 16 22:03:31 ip-172-31-26-63 k3s[1726]: I1216 22:03:31.766196    1726 secure_serving.go:210] Serving securely on 127.0.0.1:10258

$ sudo lsof -i -P -n | grep LISTEN | grep 10258
k3s-serve 1726            root  243u  IPv4  30442      0t0  TCP 127.0.0.1:10258 (LISTEN)
  • Validation:
$ cat /etc/rancher/k3s/config.yaml
write-kubeconfig-mode: 644
token: summer
cluster-init: true
disable-cloud-controller: true

$ k3s -v
k3s version v1.24.9-rc3+k3s1 (4dcf0a33)
go version go1.18.9

$ journalctl -u k3s|grep 'securely'
Dec 16 22:06:57 ip-172-31-26-63 k3s[4239]: I1216 22:06:57.036482    4239 secure_serving.go:210] Serving securely on 127.0.0.1:6444
Dec 16 22:07:01 ip-172-31-26-63 k3s[4239]: I1216 22:07:01.362506    4239 secure_serving.go:210] Serving securely on 127.0.0.1:10259
Dec 16 22:07:01 ip-172-31-26-63 k3s[4239]: I1216 22:07:01.918620    4239 secure_serving.go:210] Serving securely on 127.0.0.1:10257

$ sudo lsof -i -P -n | grep LISTEN | grep 10258
$
Investigate alternatives for StrongSwan #6027 
# config
write-kubeconfig-mode: 644
token: summer
cluster-init: true
flannel-backend: ipsec

# Log after install, k3s fails to start
$ sudo journalctl -u k3s | grep swanctl
Dec 16 23:13:47 ip-xxx-xx-xx-xx k3s[10467]: time="2022-12-16T23:13:47Z" level=fatal msg="k3s no longer includes strongswan - please install strongswan's swanctl and charon packages on your host: exec: \"swanctl\": executable file not found in $PATH"

# Help doc 
$ k3s server --help | grep flannel-backend
   --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")
  • After installing strongswan and charon packages, k3s started successfully
$ k3s -v
k3s version v1.24.9-rc3+k3s1 (4dcf0a33)
go version go1.18.9

$ kubectl get nodes
NAME              STATUS   ROLES                       AGE   VERSION
ip-xxx-xx-xx-63   Ready    control-plane,etcd,master   22m   v1.24.9-rc3+k3s1

@bguzman-3pillar
Copy link

bguzman-3pillar commented Dec 15, 2022
edited
Loading

High load due to ksoftirqd, growing iptables rules #3117
  • Using the prefer-bundled-bin flag got this output:
    Passing the prefer-bundled-bin, PATH used by the k3s process is updated to use the k3s bundle first before OS binaries

Install K3S using the flag curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.24.9-rc3+k3s1 INSTALL_K3S_EXEC="server --prefer-bundled-bin" sh -

$ sudo cat /proc/1655/environ | xargs -0 echo | grep PATH
             PATH=/var/lib/rancher/k3s/data/3c428d94b0fbddb4562b01c872b0025f1202868a6ef6a48025167c107b2476f6/bin:/var/lib/rancher/k3s/data/3c428d94b0fbddb4562b01c872b0025f1202868a6ef6a48025167c107b2476f6/bin/aux:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin NOTIFY_SOCKET=/run/systemd/notify INVOCATION_ID=490eabed194e46bfbf8a6ddfa336e96e JOURNAL_STREAM=8:20677 SYSTEMD_EXEC_PID=1655 RES_OPTIONS=  K3S_DATA_DIR=/var/lib/rancher/k3s/data/3c428d94b0fbddb4562b01c872b0025f1202868a6ef6a48025167c107b2476f6
Traefik helm chart repo has moved #6467 
$ k3s -v
k3s version v1.24.9-rc3+k3s1 (4dcf0a33)
go version go1.18.9
$ helm ls -A
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /etc/rancher/k3s/k3s.yaml
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /etc/rancher/k3s/k3s.yaml
NAME       	NAMESPACE  	REVISION	UPDATED                                	STATUS  	CHART                      	APP VERSION
traefik    	kube-system	1       	2022-12-15 17:39:34.333694124 +0000 UTC	deployed	traefik-20.3.1+up20.3.0    	v2.9.4     
traefik-crd	kube-system	1       	2022-12-15 17:39:32.133339463 +0000 UTC	deployed	traefik-crd-20.3.1+up20.3.0	v2.9.4     


$ sudo k3s ctr i ls | grep 'traefik'
docker.io/rancher/mirrored-library-traefik:2.9.4                                                                   application/vnd.docker.distribution.manifest.list.v2+json sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 36.9 MiB  linux/amd64,linux/arm/v6,linux/arm64/v8,linux/s390x            io.cri-containerd.image=managed 
docker.io/rancher/mirrored-library-traefik@sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 application/vnd.docker.distribution.manifest.list.v2+json sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 36.9 MiB  linux/amd64,linux/arm/v6,linux/arm64/v8,linux/s390x            io.cri-containerd.image=managed 


$ sudo cat /var/lib/rancher/k3s/server/manifests/traefik.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-20.3.1+up20.3.0.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-20.3.1+up20.3.0.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/mirrored-library-traefik"
      tag: "2.9.4"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"
    service:
      ipFamilyPolicy: "PreferDualStack"
rootless k3s: allow configuring the mtu of slirp4netns #6487 - Tested by Justin here: https://github.com//issues/6600#issuecomment-1340149482
Remove windows sourceVip config for kube-proxy #6499
  • config.yaml
$ cat config.yaml 
write-kubeconfig-mode: 644
debug: true
token: test
cluster-init: true
cni: calico

$ kubectl get node,pod -A
NAME                  STATUS   ROLES                       AGE   VERSION
node/ip-172-31-1-71   Ready    <none>                      17m   v1.24.9-rc3+k3s1
node/ip-172-31-3-80   Ready    control-plane,etcd,master   21m   v1.24.9-rc3+k3s1

NAMESPACE     NAME                                           READY   STATUS      RESTARTS   AGE
default       pod/nginx-nodeport-deployment-c6c7fcb5-6wrns   1/1     Running     0          4m38s
default       pod/nginx-nodeport-deployment-c6c7fcb5-6xxxp   1/1     Running     0          4m38s
default       pod/nginx-nodeport-deployment-c6c7fcb5-k4wc2   1/1     Running     0          4m38s
default       pod/nginx-nodeport-deployment-c6c7fcb5-lhc65   1/1     Running     0          4m38s
kube-system   pod/coredns-7b5bbc6644-mh27t                   1/1     Running     0          20m
kube-system   pod/helm-install-traefik-btpnf                 0/1     Completed   1          20m
kube-system   pod/helm-install-traefik-crd-jd9rg             0/1     Completed   0          20m
kube-system   pod/local-path-provisioner-687d6d7765-jfsrp    1/1     Running     0          20m
kube-system   pod/metrics-server-667586758d-7hlbf            1/1     Running     0          20m
kube-system   pod/svclb-traefik-04d2ec9c-scvwj               2/2     Running     0          20m
kube-system   pod/svclb-traefik-04d2ec9c-zs7gp               2/2     Running     0          17m
kube-system   pod/traefik-64b96ccbcd-8kwbs                   1/1     Running     0          20m
  • All attempts to detect errors arising from the issue fail as expected with the fix for 6499
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep "retryingvxlan0"
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep "retryingvxlan0"
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep "retryingvxlan0"
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep "retryingvxlan0"
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep -i 'warning'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep -i 'networks'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -eu rke2-server | grep -i 'wait'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -u rke2-server | grep -i 'retryingvxlan'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -u rke2-server | grep -i 'retrying'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -u rke2-server | grep -i 'hns'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -u rke2-server | grep -i 'not found'
ubuntu@ip-172-31-3-80:~$ sudo journalctl -u k3s-server | grep -i 'not found'
Unexpected server behaviour with --disable-cloud-controller flag #6554

1-Copy config.yaml
2-Install k3s


$ journalctl -u k3s|grep 'securely'
Dec 15 17:39:02 ip-172-31-26-223 k3s[1648]: {"level":"info","ts":"2022-12-15T17:39:02.108Z","caller":"embed/serve.go:188","msg":"serving client traffic securely","address":"127.0.0.1:2379"}
Dec 15 17:39:02 ip-172-31-26-223 k3s[1648]: {"level":"info","ts":"2022-12-15T17:39:02.112Z","caller":"embed/serve.go:188","msg":"serving client traffic securely","address":"172.31.26.223:2379"}
Dec 15 17:39:06 ip-172-31-26-223 k3s[1648]: I1215 17:39:06.072692    1648 secure_serving.go:210] Serving securely on 127.0.0.1:6444
Dec 15 17:39:09 ip-172-31-26-223 k3s[1648]: I1215 17:39:09.354822    1648 secure_serving.go:210] Serving securely on 127.0.0.1:10257
Dec 15 17:39:12 ip-172-31-26-223 k3s[1648]: I1215 17:39:12.265447    1648 secure_serving.go:210] Serving securely on 127.0.0.1:10258
Dec 15 17:39:16 ip-172-31-26-223 k3s[1648]: I1215 17:39:16.374624    1648 secure_serving.go:210] Serving securely on 127.0.0.1:10259


$ sudo lsof -i -P -n | grep LISTEN | grep 10258
ubuntu@ip-172-31-26-223:~$
Investigate alternatives for StrongSwan #6027 
# config.yaml
flannel-backend: ipsec
write-kubeconfig-mode: 644

k3s server --help, should displayed the flag flannel-backend, ipsec (deprecated)

$ k3s server --help | grep flannel-backend
   --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")

Install with flannel-backend: ipsec, it failed with the following error message:

Dec 15 19:51:12 ip-172-31-26-223 k3s[9688]: time="2022-12-15T19:51:12Z" level=info msg="Module iptable_filter was already loaded"
Dec 15 19:51:12 ip-172-31-26-223 k3s[9688]: time="2022-12-15T19:51:12Z" level=fatal msg="k3s no longer includes strongswan - please install strongswan's swanctl and charon packages on your host: exec: \"swanctl\": executable file not f>
Dec 15 19:51:12 ip-172-31-26-223 systemd[1]: k3s.service: Main process exited, code=exited, status=1/FAILURE

@mdrahman-suse
Copy link

All issues has been validated. Closing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@mdrahman-suse mdrahman-suse

@bguzman-3pillar bguzman-3pillar

Labels
None yet
Projects
None yet
Milestone
v1.24.9+k3s1
Development

No branches or pull requests
4 participants
@brandond @VestigeJ @mdrahman-suse @bguzman-3pillar