Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Calico Daemonset Iptables Issue in RHEL 8 #7393

Open
HenryXie1 opened this issue Feb 24, 2023 · 6 comments
Open

Calico Daemonset Iptables Issue in RHEL 8 #7393

HenryXie1 opened this issue Feb 24, 2023 · 6 comments
Labels

Comments

@HenryXie1
Copy link

HenryXie1 commented Feb 24, 2023

We have upgrade the worker node to RHEL 8. it has iptables-nft enabled
iptables -V --> iptables-nft in the OS

We are currently using the Calico daemonset version 3.24, and according to the documentation, it should automatically detect the version of iptables on RHEL 8. We have verified this information through the following links: #2322, and #4322.

However, when we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy). Even when we added the environment variable FELIX_IPTABLESBACKEND with the value "Auto" and rolled the pods, the legacy version of iptables was still being used.

. We are confused because despite this information, when we run the "iptables -V" command on the Calico node, it still shows the legacy version of iptables. Could you please provide clarification on this matter?

Meanwhile I found #7111 is still open (not merged)
seems the issue is not fixed,so I wonder how Calico implemented iptables automatic detection feature. or did I miss sth?
Thank you

@caseydavenport Thank you

Expected Behavior

When work nodes upgrade to RHEL 8,
kubectl exec -it calico-nodes-*** -- iptables -V --> iptables-nft

Current Behavior

with calico 3.24 and RHEL 8
we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy)

Possible Solution

no

Steps to Reproduce (for bugs)

Context

Your Environment

  • Calico version 3.24
  • Orchestrator version kubernetes
  • Operating System and version: RHEL 8 kernel 4.18 with iptables-nft
  • Link to your project (optional):
@HenryXie1 HenryXie1 changed the title iptables -V shows wrong version Calico Daemonset Iptables Issue in RHEL 8 Feb 24, 2023
@yankay
Copy link
Contributor

yankay commented Feb 27, 2023

We have the same issue .
Welcome to help to review the #7111 :-)

@MichalFupso
Copy link
Contributor

MichalFupso commented Mar 21, 2023

Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue

@yankay
Copy link
Contributor

yankay commented Mar 22, 2023

Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue

HI @MichalFupso ,
The #7111 is merged into the Calico v3.26.
And the Cherry-Pick #7460 is for the Calico v3.25.

@HenryXie1
Copy link
Author

HenryXie1 commented Mar 23, 2023

Hi, @yankay Thanks for your input
I happen to notice this PR #4322
https://www.tigera.io/blog/whats-new-in-calico-v3-12/
It seems the fix was included in 3.12,
not sure how that works with your PR #7460

@yankay
Copy link
Contributor

yankay commented Mar 24, 2023

HI @HenryXie1

Follow the description of the issue, The issue is the same as the: #2322. The auto-detect logic in the RHEL/Centos 8 is to detect auto as a legacy instead of NFT. So that causes the issue.

There is a blog article about the issue: https://mihail-milev.medium.com/no-pod-to-pod-communication-on-centos-8-kubernetes-with-calico-56d694d2a6f4

The #7111 and #7460 are to fix the issue.

@HenryXie1
Copy link
Author

HenryXie1 commented Mar 24, 2023

Thanks @yankay
I read the blog and implement Calico version 3.24 with RHEL 8 iptables-nft. I discovered that the issue mentioned in #2322 had been resolved, as new iptables nft rules were created. However, when I checked the calico-node by running the command iptables -V, it still showed iptables legacy.

I am not sure how this works in version 3.24 without the PRs mentioned in #7111 and #7460.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants