7.4. Troubleshooting ufw

This section provides troubleshooting information for the Configuring ufw for K3s phase of Running the LOCKSS Installer.

7.4.1. Allow traffic from 10.42.0.0/16 and 10.43.0.0/16 via ufw

If your system is running the ufw firewall, it is necessary to allow traffic from K3s' pod and service subnets 1 via ufw for K3s to work properly 2. If install-lockss detects this situation, you will see a warning message and the following prompt 3:

Allow traffic from 10.42.0.0/16 and 10.43.0.0/16 via ufw?

Enter Y to accept the proposed ufw configuration. If you bypass the proposed configuration, K3s may malfunction.

The firewalld configuration attempted by install-lockss is equivalent to 1:

ufw allow from 10.42.0.0/16 to any

ufw allow from 10.43.0.0/16 to any

ufw reload

7.4.2. Post-Installation Changes to ufw

If your system did not initially use ufw at the time K3s was installed, but later does (for example because ufw becomes enabled), run this command (which is relative to the LOCKSS Installer Directory) as a privileged user who can become root via sudo 4:

scripts/install-lockss --configure-ufw

This will run only the Configuring ufw for K3s phase of install-lockss.


Footnotes

1

By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16.

2

References:

3

See Configuring ufw for K3s.

4

See Running Commands as a Privileged User.