7.3. Troubleshooting firewalld

This section provides troubleshooting information for the Configuring firewalld for K3s phase of Running the LOCKSS Installer.

7.3.1. Add 10.42.0.0/16 and 10.43.0.0/16 to firewalld's trusted zone

If your system is running the firewalld firewall, it is necessary to add K3s' pod and service subnets [1] to firewalld's trusted zone for K3s to work properly [2]. If install-lockss detects this situation, you will see a warning message and the following prompt [3]:

Add 10.42.0.0/16 and 10.43.0.0/16 to firewalld's trusted zone?

Enter Y to accept the proposed firewalld configuration. If you bypass the proposed configuration, K3s may malfunction.

The firewalld configuration attempted by install-lockss is equivalent to [1]:

firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16

firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16

firewall-cmd --reload

7.3.2. Post-Installation Changes to firewalld

If your system did not initially use firewalld at the time K3s was installed, but later does (for example because firewalld becomes enabled), run this command (relative to the LOCKSS Installer Directory) as a privileged user who can become root via sudo [4]:

scripts/install-lockss --configure-firewalld

This will run only the Configuring firewalld for K3s phase of install-lockss.

---

Footnotes

[1]

By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16.

[2]

For operating systems in the RHEL family (CentOS, Rocky Linux, AlmaLinux OS...), the action recommended by the K3s manual is to disable firewalld entirely (see https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-red-hat-centos-enterprise-linux), but install-lockss takes a lighter approach commonly used in the K3s community.

References:

• https://github.com/k3s-io/k3s/issues/1556

  • https://github.com/k3s-io/k3s/issues/1556#issuecomment-604112415

[3]

See Configuring firewalld for K3s.

[4]

See Running Commands as a Privileged User.