search

herzogf / homek8s

Kubernetes installer for your datacenter at home.
MIT License
1 stars 2 forks source link

Fix the gateway iptables provisioning in the local test environment #12

Closed herzogf closed 4 years ago

herzogf commented 4 years ago

Running the test/native_run_homek8s.sh against the local dev gateway VM yields the following exception:

TASK [gateway : Add iptables rule for MASQUERADE over external interface] *********************************************************************************************************
fatal: [rpi-gateway]: FAILED! => {"changed": false, "cmd": "/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -o wlan0", "msg": "iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist\nTry `iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist\nTry `iptables -h' or 'iptables --help' for more information.\n", "stderr_lines": ["iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist", "Try `iptables -h' or 'iptables --help' for more information."], "stdout": "", "stdout_lines": []}

The gateway VM definitely misses the second network interface (normally the wifi interface on a physical raspberry pi, i.e. our wlan0) but the error mentions a missing MASQUERADE chain so we have to check whether this is really missing in the stock raspbian and needs to be created. So action plan:

  1. check whether MASQUERADE chain must be created (or if error message is misleading)
  2. add second network interface to gateway VM
herzogf commented 4 years ago

It seems that on the current raspbian version (and after apt-get upgrade) iptables changed to the newer nftables that are now the default on the newest debian. I have seen this on debian but not on raspbian on a physical raspberry pi yet.

iptables on raspbian reports this after the playbook:

root@raspberrypi:/var/log/apt# iptables -S
# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables: Invalid argument. Run `dmesg' for more information.

k3s needs iptables-legacy on all k3s nodes and it makes life for us easier when the gateway uses the legacy iptables as well. See https://wiki.debian.org/iptables for further information to switch to iptables-legacy