Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switching from iptables-legacy to iptables-nft #17

Open
nickmhankins opened this issue Dec 12, 2024 · 6 comments
Open

Switching from iptables-legacy to iptables-nft #17

nickmhankins opened this issue Dec 12, 2024 · 6 comments

Comments

@nickmhankins
Copy link

nickmhankins commented Dec 12, 2024

I'm running into issues switching from iptables-legacy on our AlmaLinux 9.4 nodes running weave in Kubernetes. Setting update-alternatives to use iptables-nft on the host (or just uninstalling legacy) and then rebooting the node still shows the weave-kube pod trying to launch with iptables-legacy even though the host is no longer using it:

Host:

iptables -V
iptables v1.8.10 (nf_tables)

Pod:

❯ kubectl logs weave-net-vpbk4
Defaulted container "weave" out of: weave, weave-npc
iptables v1.8.10 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I've tried removing weave related items from the host that are getting mounted into the container in the hopes it would trigger some sort or re-initialization, am I just missing a step?

@rajch
Copy link
Owner

rajch commented Dec 17, 2024

There is currently a problem detecting iptables-nft and using it instead of iptables-legacy, also reported in a different context in #15.

You could manually specify the iptables-nft backend by running:

$ kubectl apply -f "https://reweave.azurewebsites.net/k8s/v1.28/net.yaml?env.IPTABLES_BACKEND=nft"

@nickmhankins
Copy link
Author

Yeah I tried that as well but get the same error, weird!

@rajch
Copy link
Owner

rajch commented Dec 18, 2024

That is weird. Could you share a full log of any weave pod, please? Particularly the first 15 or so lines.

@rajch
Copy link
Owner

rajch commented Dec 19, 2024

I have created an interim release which tries to solve that and a related problem, and tested it the best i can. I am in the middle of a move to a different city, so currently my test matrix is limited to debian, alpine and rocky Linux only. Could you do me a solid, and apply that on your Alma cluster? It will not change any settings, just use the iptables-nft backend, and can be rolled back or forward later. You can do it with:

$ kubectl apply -f "https://reweave.azurewebsites.net/k8s/v1.28/net.yaml?version=2.9.0-beta1"

@rajch
Copy link
Owner

rajch commented Dec 22, 2024

A new release is out: v2.9.0. Upgrading to this should solve your problem. I'll keep the issue open for now.

@nickmhankins
Copy link
Author

More than happy to help but I won't be back to work for a few more days. I'll update once I've tried it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants