Closed bmorris53 closed 8 months ago
Also, using nc I can confirm that the master-1 node is reachable on all the ports I believe should be reachable.
from master-2:
[bmorris@k3s-master-2 ~]$ nc -v 172.20.0.161 6443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to 172.20.0.161:6443.
^C
[bmorris@k3s-master-2 ~]$ nc -v 172.20.0.161 2379
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to 172.20.0.161:2379.
^C
[bmorris@k3s-master-2 ~]$ nc -v 172.20.0.161 2380
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to 172.20.0.161:2380.
Maybe you missed the 403 Forbidden
errors from squid in the log file:
Jan 12 18:36:50 k3s-master-2 k3s[256819]: {"level":"warn","ts":"2024-01-12T18:36:50.529306Z","logger":"etcd-client","caller":"v3@v3.5.9-k3s1/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0012be000/172.20.0.161:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: Error while dialing: failed to do connect handshake, response: \\\"HTTP/1.1 403 Forbidden\\\\r\\\\nContent-Length: 3478\\\\r\\\\nConnection: keep-alive\\\\r\\\\nContent-Language: en\\\\r\\\\nContent-Type: text/html;charset=utf-8\\\\r\\\\nDate: Fri, 12 Jan 2024 18:36:45 GMT\\\\r\\\\nMime-Version: 1.0\\\\r\\\\nServer: squid/3.5.27\\\\r\\\\nVary: Accept-Language\\\\r\\\\nVia: 1.1 7491d61a006d (squid/3.5.27)\\\\r\\\\nX-Cache: MISS from 7491d61a006d\\\\r\\\\nX-Cache-Lookup: NONE from 7491d61a006d:3128\\\\r\\\\nX-Squid-Error: ERR_ACCESS_DENIED 0\\\\r\\\\n\\\\r\\\\n<!DOCTYPE html PUBLIC \\\\\\\"-//W3C//DTD HTML 4.01//EN\\\\\\\" \\\\\\\"http://www.w3.org/TR/html4/strict.dtd\\\\\\\">\\\\n<html><head>\\\\n<meta type=\\\\\\\"copyright\\\\\\\" content=\\\\\\\"Copyright (C) 1996-2017 The Squid Software Foundation and contributors\\\\\\\">\\\\n<meta http-equiv=\\\\\\\"Content-Type\\\\\\\" content=\\\\\\\"text/html; charset=utf-8\\\\\\\">\\\\n<title>ERROR: The requested URL could not be retrieved</title>\\\\n<style type=\\\\\\\"text/css\\\\\\\"><!--\\\\n /*\\\\n * Copyright (C) 1996-2017 The Squid Software Foundation and contributors\\\\n *\\\\n * Squid software is distributed under GPLv2+ license and includes\\\\n * contributions from numerous individuals and organizations.\\\\n * Please see the COPYING and CONTRIBUTORS files for details.\\\\n */\\\\n\\\\n/*\\\\n Stylesheet for Squid Error pages\\\\n Adapted from design by Free CSS Templates\\\\n http://www.freecsstemplates.org\\\\n Released for free under a Creative Commons Attribution 2.5 License\\\\n*/\\\\n\\\\n/* Page basics */\\\\n* {\\\\n\\\\tfont-family: verdana, sans-serif;\\\\n}\\\\n\\\\nhtml body {\\\\n\\\\tmargin: 0;\\\\n\\\\tpadding: 0;\\\\n\\\\tbackground: #efefef;\\\\n\\\\tfont-size: 12px;\\\\n\\\\tcolor: #1e1e1e;\\\\n}\\\\n\\\\n/* Page displayed title area */\\\\n#titles {\\\\n\\\\tmargin-left: 15px;\\\\n\\\\tpadding: 10px;\\\\n\\\\tpadding-left: 100px;\\\\n\\\\tbackground: url('/squid-internal-static/icons/SN.png') no-repeat left;\\\\n}\\\\n\\\\n/* initial title */\\\\n#titles h1 {\\\\n\\\\tcolor: #000000;\\\\n}\\\\n#titles h2 {\\\\n\\\\tcolor: #000000;\\\\n}\\\\n\\\\n/* special event: FTP success page titles */\\\\n#titles ftpsuccess {\\\\n\\\\tbackground-color:#00ff00;\\\\n\\\\twidth:100%;\\\\n}\\\\n\\\\n/* Page displayed body content area */\\\\n#content {\\\\n\\\\tpadding: 10px;\\\\n\\\\tbackground: #ffffff;\\\\n}\\\\n\\\\n/* General text */\\\\np {\\\\n}\\\\n\\\\n/* error brief description */\\\\n#error p {\\\\n}\\\\n\\\\n/* some data which may have caused the problem */\\\\n#data {\\\\n}\\\\n\\\\n/* the error message received from the system or other software */\\\\n#sysmsg {\\\\n}\\\\n\\\\npre {\\\\n font-family:sans-serif;\\\\n}\\\\n\\\\n/* special event: FTP / Gopher directory listing */\\\\n#dirmsg {\\\\n font-family: courier;\\\\n color: black;\\\\n font-size: 10pt;\\\\n}\\\\n#dirlisting {\\\\n margin-left: 2%;\\\\n margin-right: 2%;\\\\n}\\\\n#dirlisting tr.entry td.icon,td.filename,td.size,td.date {\\\\n border-bottom: groove;\\\\n}\\\\n#dirlisting td.size {\\\\n width: 50px;\\\\n text-align: right;\\\\n padding-right: 5px;\\\\n}\\\\n\\\\n/* horizontal lines */\\\\nhr {\\\\n\\\\tmargin: 0;\\\\n}\\\\n\\\\n/* page displayed footer area */\\\\n#footer {\\\\n\\\\tfont-size: 9px;\\\\n\\\\tpadding-left: 10px;\\\\n}\\\\n\\\\n\\\\nbody\\\\n:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }\\\\n:lang(he) { direction: rtl; }\\\\n --></style>\\\\n</head><body id=ERR_ACCESS_DENIED>\\\\n<div id=\\\\\\\"titles\\\\\\\">\\\\n<h1>ERROR</h1>\\\\n<h2>The requested URL could not be retrieved</h2>\\\\n</div>\\\\n<hr>\\\\n\\\\n<div id=\\\\\\\"content\\\\\\\">\\\\n<p>The following error was encountered while trying to retrieve the URL: <a href=\\\\\\\"172.20.0.161:2379\\\\\\\">172.20.0.161:2379</a></p>\\\\n\\\\n<blockquote id=\\\\\\\"error\\\\\\\">\\\\n<p><b>Access Denied.</b></p>\\\\n</blockquote>\\\\n\\\\n<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>\\\\n\\\\n<p>Your cache administrator is <a href=\\\\\\\"mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%207491d61a006d%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2012%20Jan%202024%2018%3A36%3A45%20GMT%0D%0A%0D%0AClientIP%3A%2047.43.111.84%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20grpc-go%2F1.58.3%0D%0AHost%3A%20172.20.0.161%3A2379%0D%0A%0D%0A%0D%0A\\\\\\\">webmaster</a>.</p>\\\\n<br>\\\\n</div>\\\\n\\\\n<hr>\\\\n<div id=\\\\\\\"footer\\\\\\\">\\\\n<p>Generated Fri, 12 Jan 2024 18:36:45 GMT by 7491d61a006d (squid/3.5.27)</p>\\\\n<!-- ERR_ACCESS_DENIED -->\\\\n</div>\\\\n</body></html>\\\\n\\\"\""}
Your proxy is breaking etcd. If you have HTTP_PROXY or HTTP_PROXY variables present in your environment, make sure that your internal node IPs or IP ranges are included in the NO_PROXY list. If you don't want K3s to use the proxy, then remove the proxy vars from the k3s env file.
Environmental Info: K3s Version:
Node(s) CPU architecture, OS, and Version:
Cluster Configuration: Attempting to setup a 3-master HA system with embedded etcd. Running in Openstack. Dual stack configuration. Security rules updated to allow ALL IPv4 and IPv6 traffic to communicate with all nodes within the security group. SELinux is enabled but set to permissive.
Describe the bug: The first node with cluster-init starts without issue. Kube api server reports healthy, as does the etcd instance that is running:
Initial Cluster Init:
Steps To Reproduce: On second node:
Journal log produces the following:
Expected behavior: Second node should join cluster
Actual behavior: Second node fails to join cluster