Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.23] Backport changes from master for 2022-12 release #6601

Closed
brandond opened this issue Dec 1, 2022 · 8 comments
Closed

[release-1.23] Backport changes from master for 2022-12 release #6601

brandond opened this issue Dec 1, 2022 · 8 comments
Assignees
@brandond @VestigeJ @est-suse
Milestone
v1.23.15+k3s1

Comments

@brandond
Copy link
Member

brandond commented Dec 1, 2022
edited
Loading

Backport fixes for the following issues:
@brandond brandond self-assigned this Dec 1, 2022
@brandond brandond added this to the 1.23.15+k3s1 milestone Dec 1, 2022
@brandond brandond mentioned this issue Dec 1, 2022
Merged
@VestigeJ
Copy link

VestigeJ commented Dec 7, 2022
edited
Loading

#6487

#6488

validated rootless allow mtu configuration and selection of the port drive
ie within the systemd service file
Environment=K3S_ROOTLESS_PORT_DRIVER=slirp4netns
Environment=K3S_ROOTLESS_MTU=1333

VERSION=v1.23.14+k3s1
COMMIT=9fc26d7265d0cb9b54576b5ffdb8abf953d674de

Infrastructure

  • Cloud

Node(s) CPU architecture, OS, and version:

Linux 5.15.0-1019-aws x86_64 GNU/Linux Ubuntu 22.04.1 LTS

Cluster Configuration:

NAME               STATUS   ROLES                  AGE     VERSION
ip-17-13-15-19   Ready    control-plane,master   7m58s   v1.23.14+k3s1

Rootless with default configs 

$  curl https://get.k3s.io --output install-k3s.sh
$  sudo chmod +x install-k3s.sh
$  VERSION=v1.23.14+k3s1
$  sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$  wget https://raw.githubusercontent.com/k3s-io/k3s/master/k3s-rootless.service
$  mkdir -p /home/ubuntu/.config/systemd/user/
$  cp k3s-rootless.service /home/ubuntu/.config/systemd/user/k3s-rootless.service
$  printf "[Service]\nDelegate=cpu cpuset io memory pids\n" > delegate.conf
$  sudo mkdir -p /etc/systemd/system/user@.service.d/
$  sudo cp ~/delegate.conf /etc/systemd/system/user@.service.d/delegate.conf
$  sudo tee -a /etc/modules <<EOF
fuse
tun
tap 
bridge
br_netfilter 
veth
ip_tables
ip6_tables
iptable_nat
ip6table_nat
iptable_filter
ip6table_filter
nf_tables
x_tables
xt_MASQUERADE
xt_addrtype
xt_comment
xt_conntrack
xt_mark
xt_multiport
xt_nat
xt_tcpudp
EOF

$  sudo vim /etc/default/grub

$  sudo update-grub
$  sudo INSTALL_K3S_VERSION=$VERSION INSTALL_K3S_SKIP_ENABLE=true ./install-k3s.sh 
$  sudo cat k3s-rootless.service 
$  sudo vim .config/systemd/user/k3s-rootless.service 
$  printf "net.ipv4.ip_forward=1\n net.ipv6.conf.all.forwarding=1\n" | sudo tee -a /etc/sysctl.conf /dev/null
$  sudo apt update
$  sudo apt install uidmap
$  sudo reboot
$  systemctl --user enable --now k3s-rootless.service
$  systemctl --user status k3s-rootless

$ cat .config/systemd/user/k3s-rootless.service

[Unit]
Description=k3s (Rootless)

[Service]
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# NOTE: Don't try to run `k3s server --rootless` on a terminal, as it doesn't enable cgroup v2 delegation.
# If you really need to try it on a terminal, prepend `systemd-run --user -p Delegate=yes --tty` to create a systemd scope.
ExecStart=/usr/local/bin/k3s server --rootless --snapshotter=fuse-overlayfs
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
KillMode=mixed

[Install]
WantedBy=default.target

$ systemctl --user status k3s-rootless

● k3s-rootless.service - k3s (Rootless)
     Loaded: loaded (/home/ubuntu/.config/systemd/user/k3s-rootless.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-12-07 00:17:06 UTC; 2min 37s ago
   Main PID: 817 (k3s-server)
      Tasks: 186
     Memory: 1.6G
        CPU: 1min 2.254s
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/k3s-rootless.service
             ├─k3s
             │ └─1005 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">
             ├─k3s_evac
             │ ├─ 817 "/usr/local/bin/k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">
             │ ├─ 915 "/proc/self/exe init" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">
             │ ├─ 926 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --cidr 10.41.0.0/16 915 tap0
             │ ├─ 975 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ">

Rootless with new envVar configs 

$  curl https://get.k3s.io --output install-k3s.sh
$  sudo chmod +x install-k3s.sh
$  COMMIT=9fc26d7265d0cb9b54576b5ffdb8abf953d674de
$  sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$  wget https://raw.githubusercontent.com/k3s-io/k3s/master/k3s-rootless.service
$  mkdir -p /home/ubuntu/.config/systemd/user/
$  cp k3s-rootless.service /home/ubuntu/.config/systemd/user/k3s-rootless.service
$  printf "[Service]\nDelegate=cpu cpuset io memory pids\n" > delegate.conf
$  sudo mkdir -p /etc/systemd/system/user@.service.d/
$  sudo cp ~/delegate.conf /etc/systemd/system/user@.service.d/delegate.conf
$  sudo tee -a /etc/modules <<EOF
fuse
tun
tap 
bridge
br_netfilter 
veth
ip_tables
ip6_tables
iptable_nat
ip6table_nat
iptable_filter
ip6table_filter
nf_tables
x_tables
xt_MASQUERADE
xt_addrtype
xt_comment
xt_conntrack
xt_mark
xt_multiport
xt_nat
xt_tcpudp
EOF

$  sudo vim /etc/default/grub
To enable cgroup v2, add systemd.unified_cgroup_hierarchy=1 to the GRUB_CMDLINE_LINUX line in /etc/default/grub and run sudo update-grub
$  sudo update-grub
$  sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_SKIP_ENABLE=true ./install-k3s.sh 
$  sudo cat k3s-rootless.service 
$  sudo vim .config/systemd/user/k3s-rootless.service 
$  printf "net.ipv4.ip_forward=1\n net.ipv6.conf.all.forwarding=1\n" | sudo tee -a /etc/sysctl.conf /dev/null
$  sudo apt update
$  sudo apt install uidmap
$  sudo reboot
$  systemctl --user enable --now k3s-rootless.service
$  systemctl --user status k3s-rootless

$ cat .config/systemd/user/k3s-rootless.service

[Unit]
Description=k3s (Rootless)

[Service]
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=K3S_ROOTLESS_CIDR="13.33.0.0/16"
Environment=K3S_ROOTLESS_PORT_DRIVER=slirp4netns
Environment=K3S_ROOTLESS_DISABLE_HOST_LOOPBACK=true
Environment=K3S_ROOTLESS_MTU=1333
# NOTE: Don't try to run `k3s server --rootless` on a terminal, as it doesn't enable cgroup v2 delegation.
# If you really need to try it on a terminal, prepend `systemd-run --user -p Delegate=yes --tty` to create a systemd scope.
ExecStart=/usr/local/bin/k3s server --rootless --snapshotter=fuse-overlayfs
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
KillMode=mixed

[Install]
WantedBy=default.target

$ systemctl --user status k3s-rootless

● k3s-rootless.service - k3s (Rootless)
     Loaded: loaded (/home/ubuntu/.config/systemd/user/k3s-rootless.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-12-07 00:17:05 UTC; 2min 53s ago
   Main PID: 834 (k3s-server)
      Tasks: 184
     Memory: 1.6G
        CPU: 1min 505ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/k3s-rootless.service
             ├─k3s
             │ └─1022 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─k3s_evac
             │ ├─ 834 "/usr/local/bin/k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">
             │ ├─ 989 "/proc/self/exe init" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">
             │ ├─ 999 slirp4netns --mtu 1333 -r 3 --disable-host-loopback --cidr 13.33.0.0/16 --api-socket /tmp/rootless2275814662/.s4nn.sock 989 tap0
             │ ├─1002 "k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

@VestigeJ
Copy link

VestigeJ commented Dec 12, 2022
edited
Loading

#3117

Environment Details
VERSION=v1.23.15-rc1+k3s1

Infrastructure

  • Cloud

Node(s) CPU architecture, OS, and version:

Linux 4.18.0-193.el8.x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux 8.7 (Ootpa)

Cluster Configuration:

NAME                                         STATUS   ROLES                       AGE     VERSION
ip-7-33-33-7.us-east-2.compute.internal   Ready    control-plane,etcd,master   65m     v1.23.15-rc1+k3s1
ip-7-33-31-3.us-east-2.compute.internal   Ready    <none>                      4m51s   v1.23.15-rc1+k3s1

Config.yaml:

write-kubeconfig-mode: 644
debug: true
token: epicsnow
protect-kernel-defaults: true
cluster-init: true
prefer-bundled-bin: true

STEPS

$ curl https://get.k3s.io --output install-"k3s".sh
$ sudo chmod +x install-"k3s".sh
$ sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$ sudo modprobe ip_vs_rr
$ sudo modprobe ip_vs_wrr
$ sudo modprobe ip_vs_sh
$ printf "on_oovm.panic_on_oom=0 \nvm.overcommit_memory=1 \nkernel.panic=10 \nkernel.panic_ps=1 \nkernel.panic_on_oops=1 \nkernel.keys.root_maxbytes=25000000" > ~/90-kubelet.conf
$ sudo cp 90-kubelet.conf /etc/sysctl.d/
$ sudo sysctl -p /etc/sysctl.d/90-kubelet.conf
$ iptables -V
$ VERSION=v1.23.15-rc1+k3s1
$ sudo INSTALL_K3S_VERSION=$VERSION INSTALL_K3S_EXEC=server ./install-k3s.sh 
$ sudo iptables -L | wc -l
$ sudo ps faux | grep 'k3s server' ** or grep 'k3s agent' respectively**
$ sudo cat /proc/17791/environ | tr '\0' '\n'

Results:

Additional context / logs:

** before adding prefer-bundled-bin:true to config.yaml server node**
config.yaml

write-kubeconfig-mode: 644
debug: true
token: epicsnow
protect-kernel-defaults: true
cluster-init: true

$ sudo cat /proc/45522/environ | tr '\0' '\n'

PATH=/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb/bin/aux
NOTIFY_SOCKET=/run/systemd/notify
INVOCATION_ID=17d00a2b72574ee3a325a2f1f915015b
JOURNAL_STREAM=9:247610
RES_OPTIONS= 
K3S_DATA_DIR=/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb

** agent node **
agent config.yaml with flag

token: epicsnow
server: https://8.222.222.8:6443
protect-kernel-defaults: true

$ sudo cat /proc/19545/environ | tr '\0' '\n'

PATH=/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb/bin/aux
NOTIFY_SOCKET=/run/systemd/notify
INVOCATION_ID=35270be0d8d74403964dbdb2b6cb990d
JOURNAL_STREAM=9:259946
RES_OPTIONS= 
K3S_DATA_DIR=/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb

** after adding prefer-bundled-bin:true to config.yaml **
$ sudo cat /proc/17791/environ | tr '\0' '\n' note bin/aux prefixing rest of PATH

PATH=/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb/bin:/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb/bin/aux:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
NOTIFY_SOCKET=/run/systemd/notify
INVOCATION_ID=eff595740f394342a693e836741ef46d
JOURNAL_STREAM=9:128555
RES_OPTIONS= 
K3S_DATA_DIR=/var/lib/rancher/k3s/data/f8e42a76a3d19563f39821f14fd09f0f7205cd72f7f8d8828d86e01c8545d1bb

agent config.yaml with flag

token: epicsnow
server: https://8.222.222.8:6443
protect-kernel-defaults: true
prefer-bundled-bin: true

@VestigeJ
Copy link

VestigeJ commented Dec 12, 2022
edited
Loading

traefik/traefik-helm-chart#719

#6467

$ helm ls -A

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
traefik         kube-system     1               2022-12-12 22:50:03.262861769 +0000 UTC deployed        traefik-20.3.1+up20.3.0         v2.9.4     
traefik-crd     kube-system     1               2022-12-12 22:50:00.58925587 +0000 UTC  deployed        traefik-crd-20.3.1+up20.3.0     v2.9.4

$ sudo k3s ctr i ls | grep 'traefik'

docker.io/rancher/mirrored-library-traefik:2.9.4                                                                   application/vnd.docker.distribution.manifest.list.v2+json sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 36.9 MiB  linux/amd64,linux/arm/v6,linux/arm64/v8,linux/s390x            io.cri-containerd.image=managed 
docker.io/rancher/mirrored-library-traefik@sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 application/vnd.docker.distribution.manifest.list.v2+json sha256:0842af6afcdf4305d17e862bad4eaf379d0817c987eedabeaff334e2273459c1 36.9 MiB  linux/amd64,linux/arm/v6,linux/arm64/v8,linux/s390x            io.cri-containerd.image=managed

$ sudo cat /var/lib/rancher/k3s/server/manifests/traefik.yaml

---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-20.3.1+up20.3.0.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-20.3.1+up20.3.0.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/mirrored-library-traefik"
      tag: "2.9.4"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"
    service:
      ipFamilyPolicy: "PreferDualStack"

@VestigeJ
Copy link

#6499

$ kgn

NAME                                         STATUS   ROLES                       AGE     VERSION
ip-7-3-9-8.us-east-2.compute.internal   Ready    control-plane,etcd,master   4m45s   v1.23.15-rc1+k3s1
ip-7-3-2-3.us-east-2.compute.internal   Ready    <none>                      3m42s   v1.23.15-rc1+k3s1

$ get_figs

=========== k3s config =========== 
write-kubeconfig-mode: 644
debug: true
token: epicsalads
protect-kernel-defaults: true
cluster-init: true
cni: calico

$ kgp -A

NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
kube-system   coredns-5cfbb9f57c-k67x6                  1/1     Running     0          78s
kube-system   helm-install-traefik-bpg4n                0/1     Completed   1          78s
kube-system   helm-install-traefik-crd-zqkk2            0/1     Completed   0          78s
kube-system   local-path-provisioner-5f8bbd68f9-zpgtw   1/1     Running     0          78s
kube-system   metrics-server-65cd754bcd-hmvj2           1/1     Running     0          78s
kube-system   svclb-traefik-acafc945-vxzxv              2/2     Running     0          18s
kube-system   svclb-traefik-acafc945-x4zvq              2/2     Running     0          58s
kube-system   traefik-5cd8994cdd-t7jsp                  1/1     Running     0          58s

All attempts to detect errors arising from the issue fail as expected with the fix for 6499

$ sudo journalctl -eu rke2-server | grep "retryingvxlan0"
$ sudo journalctl -eu rke2-server | grep "retryingvxlan"
$ sudo journalctl -eu rke2-server | grep "retrying"
$ sudo journalctl -eu rke2-server | grep -i 'retry'
$ sudo journalctl -eu rke2-server | grep -i 'hns'
$ sudo journalctl -eu rke2-server | grep -i 'warning'
$ sudo journalctl -eu rke2-server | grep -i 'networks'
$ sudo journalctl -eu rke2-server | grep -i 'wait'
$ sudo journalctl -u rke2-server | grep -i 'retryingvxlan'
$ sudo journalctl -u rke2-server | grep -i 'retrying'
$ sudo journalctl -u rke2-server | grep -i 'hns'
$ sudo journalctl -u rke2-server | grep -i 'not found'

@est-suse
Copy link
Contributor

#5056

After Taking to Bryan Guzman, the issue was not fixed until the next sprint.

@est-suse
Copy link
Contributor

est-suse commented Dec 13, 2022
edited
Loading

#6554

1 node

config.yaml
disable-cloud-controller: true
write-kubeconfig-mode: 644

journalctl -u k3s|grep 'securely'
Dec 13 14:55:21 ip-172-31-4-185 k3s[1616]: I1213 14:55:21.265266    1616 secure_serving.go:266] Serving securely on 127.0.0.1:6444
Dec 13 14:55:25 ip-172-31-4-185 k3s[1616]: I1213 14:55:25.105319    1616 secure_serving.go:200] Serving securely on 127.0.0.1:10257
Dec 13 14:55:25 ip-172-31-4-185 k3s[1616]: I1213 14:55:25.576440    1616 secure_serving.go:200] Serving securely on 127.0.0.1:10259

sudo lsof -i -P -n | grep LISTEN | grep 10258

@est-suse
Copy link
Contributor

est-suse commented Dec 13, 2022
edited
Loading

#6027

config.yaml:

flannel-backend: ipsec
write-kubeconfig-mode: 644

k3s server --help, should displayed the flag flannel-backend, ipsec (deprecated)

k3s server --help | grep flannel-backend
   --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")
   --no-flannel

Install with flannel-backend: ipsec, it failed with the following error message:

Dec 13 15:14:44 ip-172-31-4-185 k3s[5040]: time="2022-12-13T15:14:44Z" level=info msg="Module iptable_nat was already loaded"
Dec 13 15:14:44 ip-172-31-4-185 k3s[5040]: time="2022-12-13T15:14:44Z" level=fatal msg="k3s no longer includes strongswan - please install strongswan's swanctl and charon packages on your host: exec: \"swanctl\": executable file not found in $PATH"
Dec 13 15:14:44 ip-172-31-4-185 systemd[1]: k3s.service: Main process exited, code=exited, status=1/FAILURE

Validated when installing swanctl and charon packages before the installation, k3s is able to work OK.

@est-suse
Copy link
Contributor

All issues have been tested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@VestigeJ VestigeJ

@est-suse est-suse

Labels
None yet
Projects
None yet
Milestone
v1.23.15+k3s1
Development

No branches or pull requests
3 participants
@brandond @VestigeJ @est-suse