7.7. Troubleshooting the K3s Configuration Checker
This section provides troubleshooting information for the optional Checking the K3s Configuration phase of Running the LOCKSS Installer.
After installing K3s 2, you may optionally run the K3s configuration checker k3s check-config 3. This configuration checker runs through a more extensive series of tests, covering "required", "generally necessary", and "optional" system aspects needed by K3s.
Some failures, especially in "optional" aspects, may not actually prevent the cluster from working normally, in the limited ways the LOCKSS system uses Kubernetes. Some of the error messages you might encounter are documented below, but you may need to refer to the official K3s documentation or use a search engine to look up the specific error message.
7.7.1. iptables should be older than v1.8.0, newer than v1.8.3, or in legacy mode
In some instances, you may encounter an error message similar to the following:
/usr/sbin iptables v1.8.2 (nf_tables): should be older than v1.8.0, newer than v1.8.3, or in legacy mode (fail)
In previous versions of K3s, this error message was also sometimes phrased as should be older than v1.8.0 or in legacy mode
.
The install-lockss script should detect this situation and offer to switch iptables to legacy mode via Alternatives (see Troubleshooting iptables). If the error above occurs:
Verify that the Configuring iptables for K3s phase of install-lockss was not skipped.
Verify that, if applicable, the proposed iptables configuration changes in the Configuring iptables for K3s phase of install-lockss were not bypassed.
Using the Troubleshooting iptables section as reference, verify that the remediation attempted by install-lockss has taken effect.
Search the K3s issues database for issues related to k3s check-config, iptables and your operating system.
7.7.2. User namespaces disabled
In the RHEL 7 family of operating systems (CentOS 7, EuroLinux 7, Scientific Linux 7...), you may receive the following error message:
RHEL7/CentOS7: User namespaces disabled; add 'user_namespace.enable=1' to boot command line (fail)
To resolve this issue 5:
Edit the file
/etc/default/grub
asroot
7.Look for the line beginning with
GRUB_CMDLINE_LINUX=
, for example:GRUB_CMDLINE_LINUX="no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop crashkernel=auto"
Add
user_namespace.enable=1
to the space-separated list of boot arguments, for instance:GRUB_CMDLINE_LINUX="user_namespace.enable=1 no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop crashkernel=auto"
Run the following command as
root
:grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot the system.
Re-run k3s check-config 3.
7.7.3. apparmor enabled but apparmor_parser missing
In some OpenSUSE systems, you may receive the following error:
apparmor: enabled, but apparmor_parser missing (fail)
This is because a common tool found in most Linux environments is not installed by default in some OpenSUSE versions.
To resolve this issue, run these zypper commands as root
7:
zypper refresh
zypper --non-interactive install apparmor-parser
or equivalently:
zypper refresh
zypper -n install apparmor-parser
7.7.4. cgroup hierarchy nonexistent
In some Arch Linux, Debian and Fedora systems, you may see the following error message:
cgroup hierarchy: nonexistent?? (fail)
K3s supports cgroup2
but k3s check-config version 1.21.5+k3s1 (used in LOCKSS 2.0-alpha5) does not process this condition correctly. This warning can be ignored.
7.7.5. links: aux/iptables should link to iptables-detect.sh
In some Fedora and OpenSUSE systems, you may encounter six related error messages like the following:
links: aux/ip6tables should link to iptables-detect.sh (fail)
links: aux/ip6tables-restore should link to iptables-detect.sh (fail)
links: aux/ip6tables-save should link to iptables-detect.sh (fail)
links: aux/iptables should link to iptables-detect.sh (fail)
links: aux/iptables-restore should link to iptables-detect.sh (fail)
links: aux/iptables-save should link to iptables-detect.sh (fail)
This is due to a bug in k3s check-config 6, triggered in environments where there is no iptables system package installed. This warning can be ignored.
7.7.6. swap should be disabled
This warning can be ignored:
swap: should be disabled
7.7.7. CONFIG_INET_XFRM_MODE_TRANSPORT missing
This warning can be ignored:
CONFIG_INET_XFRM_MODE_TRANSPORT: missing
Footnotes
- 1
- 2
See Installing K3s.
- 3
- 4
References:
- 5
References:
- 6
Reference:
- 7