Error rootless-cni-infra: modprobe: can't change directory to '/lib/modules': No such file or director #2271
Comments
|
Please try |
|
The problem is that recent kernel versions do not contain the Are there any alternatives such as the ones in |
|
My assumption is that the implementation of iptables between the host machine and the Ubuntu-based 12.0.4 container image is breaking how NAT gets set up. |
|
@AkihiroSuda where is this |
I can't see those in master, but at first sight it will need this as base container to deal with the iptables/nftables problem and detect the correct backend |
|
I added the following file to my local kind node image and I successfully started my kind cluster!
From 4a56395a28bd1745781d0dfaa7f8382faf0b55f5 Mon Sep 17 00:00:00 2001
From: bagnaram <[email protected]>
Date: Thu, 27 May 2021 10:34:21 -0500
Subject: [PATCH] podman patches
---
images/Makefile.common.in | 12 +++++++-----
images/base/Dockerfile | 2 ++
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/images/Makefile.common.in b/images/Makefile.common.in
index ee335d1e..1213b4b1 100644
--- a/images/Makefile.common.in
+++ b/images/Makefile.common.in
@@ -14,10 +14,12 @@ export DOCKER_CLI_EXPERIMENTAL=enabled
# build with buildx
PLATFORMS?=linux/amd64,linux/arm64,linux/ppc64le
+PLATFORMS=linux/amd64
OUTPUT=
PROGRESS=auto
-build: ensure-buildx
- docker buildx build --platform=${PLATFORMS} $(OUTPUT) --progress=$(PROGRESS) -t ${IMAGE} --pull .
+build:
+# docker buildx build --platform=${PLATFORMS} $(OUTPUT) --progress=$(PROGRESS) -t ${IMAGE} --pull .
+ podman build --platform=${PLATFORMS} $(OUTPUT) -t ${IMAGE} --pull .
# push the cross built image
push: OUTPUT=--push
@@ -32,7 +34,7 @@ quick: OUTPUT=--load
quick: build
# enable buildx
-ensure-buildx:
- ./../../hack/build/init-buildx.sh
+#ensure-buildx:
+# ./../../hack/build/init-buildx.sh
-.PHONY: push build quick ensure-buildx
\ No newline at end of file
+.PHONY: push build quick ensure-buildx
diff --git a/images/base/Dockerfile b/images/base/Dockerfile
index ec8fcd7c..cf4013ff 100644
--- a/images/base/Dockerfile
+++ b/images/base/Dockerfile
@@ -167,6 +167,8 @@ RUN echo "Installing Packages ..." \
&& echo "Disabling udev" \
&& systemctl disable udev.service
+RUN iptables-wrapper-installer.sh
+
# tell systemd that it is in docker (it will check for the container env)
# https://systemd.io/CONTAINER_INTERFACE/
ENV container docker
--
2.31.1
This is just a test but shows what was necessary to gut it to build. Also buildx appears to be added inline with both docker and podman build commands, so no need to call it explicitly. What would be the path forward for incorporating the iptables-wrapper? Can it be added as a git submodule or do we copy it as-is to this repository? |
I reached out to podman developers and they are no longer using that container for podman in master, that image has been deprecated ... |
|
I actually did not have to touch the |
|
what's confusing then is kind is doing the iptables-wrapper logic, it just does it in the entrypoint instead of using that project ... the reason it hasn't worked on podman before is podman was not inserting any iptables rules so there's nothing to select based on. we have other issues where this problem is discussed |
|
I think my issue mostly deals with a disparity between the version of iptables in the Ubuntu based node image and the iptables kernel modules availible in the bind-mounted |
|
Hmm I don't see the wrapper doing that. https://github.com/kubernetes-sigs/iptables-wrappers/blob/master/iptables-wrapper-installer.sh We have equivilant simpler logic in the entrypoint given that e.g. we only need to do this for apt not other distro tools.
kind/images/base/files/usr/local/bin/entrypoint Lines 328 to 330 in 227f963 EDIT: nope, we're effectively doing the same thing as the wrapper 🙃, you don't need to do it for all the binaries, just for the package. |
|
I think that The userpace iptables is the one that checks the kernel modules |
|
in the wrapper: if [ "${need_timeout:-0}" = 0 ]; then
# Write out the simpler version of legacy-vs-nft detection
cat >> "${sbin}/iptables-wrapper" <<EOF
num_legacy_lines=\$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
num_nft_lines=\$( (iptables-nft-save || true; ip6tables-nft-save || true) 2>/dev/null | grep '^-' | wc -l)
if [ "\${num_legacy_lines}" -ge "\${num_nft_lines}" ]; then
mode=legacy
else
mode=nft
fiin kind: local mode=nft
num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l || true)
if [ "${num_legacy_lines}" -ge 10 ]; then
mode=legacy
else
num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l || true)
if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
mode=legacy
fi
fi |
|
that logic is not identical. perhaps in podman rootless there are rules from legacy and nft? |
|
waiting on discussion of #2289 (comment) |
|
FWIW #2289 landed, I'm still dubious on that being the ultimate root issue. |
|
It appears to check out fine for me using the latest Kind node images and no longer my custom built ones! |
|
Who knew 🙃 This makes me concerned that perhaps podman is resulting in both being used 🤔 but that's not really our problem ... |
What happened:
Preparing Nodes stage fails under rootless Podman.
What you expected to happen:
It should work.
How to reproduce it (as minimally and precisely as possible):
Install podman 3.1.2-2
Install kind v0.11.0 go1.16.4 linux/amd64
Follow steps https://wiki.archlinux.org/title/Podman#Rootless_Podman to enable rootless Podman
Follow steps https://kind.sigs.k8s.io/docs/user/rootless/ to enable rootless Kind
Anything else we need to know?:
Environment:
ind v0.11.0 go1.16.4 linux/amd64kubectl version):Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"archive", BuildDate:"2021-05-14T14:09:09Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}docker info):podman 3.1.2-2/etc/os-release):5.12.5-arch1-1The text was updated successfully, but these errors were encountered: