Open Ka0o0 opened 3 years ago
After looking into the logs, I saw that k3s is not able to pull the images. It seems that the server container is not using the proxy settings from my Docker configuration.
➜ ~ docker exec -it ad4b0e18c8e6 sh
/ # echo $http_proxy
I'll now try to get my proxy settings into the server container. There are two possibilities: either specify env variable with k3d or look why my docker configuration is ignored. Maybe K3D runs docker commands as another user.
Edit:
As suspected, the env variables for HTTP_PROXY are not applied from my ~/.docker/config.json
Okay, after setting the proxy settings via k3d cluster create -e HTTP_PROXY=xxx
I can see in my proxy's logs, that images are being pulled. But was still not able to log in. Other things I noticed were the following logs from the service lb:
2020/12/07 12:13:06 [error] 16#16: *23 connect() failed (113: Host is unreachable) while connecting to upstream, client: 172.22.0.1, server: 0.0.0.0:6443, upstream: "172.22.0.2:6443", bytes from/to client:0/0, bytes from/to upstream:0/0
2020/12/07 12:13:07 [error] 16#16: *25 connect() failed (113: Host is unreachable) while connecting to upstream, client: 172.22.0.1, server: 0.0.0.0:6443, upstream: "172.22.0.2:6443", bytes from/to client:0/0, bytes from/to upstream:0/0
I first thought that K3S probably didn't start but I logged into the container of the server with docker exec and used kubectl there. And it worked:
/ # kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system metrics-server-7b4f8b595-996f6 1/1 Running 0 8m14s
kube-system local-path-provisioner-7ff9579c6-5bx6f 1/1 Running 0 8m14s
kube-system coredns-66c464876b-vzctl 1/1 Running 0 8m14s
kube-system helm-install-traefik-kl6dj 0/1 Completed 0 8m14s
kube-system svclb-traefik-bgq9d 2/2 Running 0 7m6s
kube-system traefik-5dd496474-2pwg2 1/1 Running 0 7m6s
/ # kubectl get nodes -A
NAME STATUS ROLES AGE VERSION
k3d-k3s-default-server-0 Ready master 8m28s v1.19.4+k3s1
So why, is my service lb not able to connect to K3S. Running netstat
yields:
/ # netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:31205 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:31975 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10251 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:40203 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10252 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6444 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10256 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10010 0.0.0.0:* LISTEN
tcp 0 0 :::10250 :::* LISTEN
tcp 0 0 :::6443 :::* LISTEN
So I logged into my lb container and install ncat. I already ran a ping test towards my k3s container, which worked, now I tried to establish a TCP connection using ncat
. And this is where I ran into a problem. ncat -v 172.22.0.2 6443
yields hoch not reachable
. So I guess that I need to fix this problem.
So the final solution to this problem is to not forget to add the new bridge connector, K3D creates, to the trusted zone of your firewall. On fedora running firewall-cmd --permanent --zone=trusted --change-interface=br-266f7145dcdc && firewall-cmd --reload
solved my problem.
I'm not sure if you consider this works as intended but I think it would be nice if I would have gotten a reminder to configure the firewall.
Hi @Ka0o0 , thanks for opening this issue and doing all the research! Replying to the two things you mentioned so far:
As I just found out, it's actually not specific to Fedora. All Linux OSs using nftables have this problem. The problem is also described here: https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables#Scope I think it's not a problem with K3D but it's a missing feature with moby (https://github.com/moby/moby/issues/26824). Ideally, it should integrate with nftables and automatically add the correct rules when creating new interfaces.
Now in terms of usability: The thing is, that most of the time I don't need to care about the firewalld settings as I rarely use the bridge functionality. But K3D does under the hood create bridges, so maybe it could be checked if nftables was activated and if so, it could print a warning or a reminder to add the new bridge as a trusted network?
Thanks for your investigations here @Ka0o0 ! This is odd. If you can come up with a simple way to check this, so that we don't need to many LoC, I'll happily integrate a check + warning :+1: How do you go about checking if nftables could introduce a problem here?
I found it!
The thing that tipped this into being functional was adding 0.0.0.0 to my NO_PROXY env. Currently I have:
export NO_PROXY="127.0.0.1,::1,localhost,.cluster.local,10.0.0.0/8,192.168.0.0/16,0.0.0.0" # plus some internal things
For reference:
% k3d version
k3d version v4.4.3
k3s version v1.20.6-k3s1 (default)
As I understand things the 10.0.0.0/8 and 0.0.0.0 are the once most likely needed for k3d. I also pass in a k3s_registry.yml that looks something like:
% cat k3s_registry.yaml
---
mirrors:
docker.io:
endpoint:
- https://docker.repo.internal
- https://sf-artifactory.internal:9001
configs:
"sf-artifactory.internal:9001":
insecure_skip_verify: true
(Obviously the above should be adjusted for your endpoints).
to create the cluster I used:
% k3d cluster create --registry-config k3s_registry.yaml --servers 3 --agents 3 test
I didn't need to pass -e HTTP_PROXY -e NO_PROXY (though maybe these might be useful later?). The root issue was that kubectl was hitting the proxy server for 0.0.0.0 when it shouldn't have been.
Hi, I was trying to create a new cluster and connect via kubectl to it. ~I'm running on Fedora and I first had to figure out that I needed to specify the
--api-port 127.0.0.1:6443
because Fedora would not allow any connection to0.0.0.0
.~ (edit: found #339 but issue still exists) I'm still not sure what I'm doing wrong. Any suggestions?Edit: Here is the output of
docker logs
of the server container: server_log.txtWhat did you do
How was the cluster created?
k3d cluster create -a 1 --api-port 127.0.0.1:6443
What did you do afterwards?
k3d kubeconfig merge k3s-default --switch-context --overwrite
kubectl get pods -A
Here the kubectl get pods -A will timeout with the following error:
What did you expect to happen
See the output of kubectl.
Screenshots or terminal output
Which OS & Architecture
Which version of
k3d
Which version of docker