Comments (6)
brandond
commented on May 28, 2024
The (sendmsg() failed: Message too large iptables-restore: line 692 failed) makes me suspect that there is a buffer size sysctl that is too small within your user namespace. Can you provide the output of sysctl -a from within the k3s rootless namespace?
from k3s.
ballj
commented on May 28, 2024
Filtered out the veth interfaces using the following: grep -v 'conf.veth'.
from k3s.
brandond
commented on May 28, 2024
I don't see any of the net.core sysctls in your output? Those control most of the socket memory limits.
The difference in log message is due to our bundled iptables binaries being newer than the ones on your host, which improves error logging - see this change:
https://git.netfilter.org/iptables/commit/?id=a3e81c62e8c5abb4158f1f66df6bbcffd1b33240
The comment at https://serverfault.com/questions/1143773/lxc-container-fail-to-load-big-iptables-rules#comment1492057_1143773 suggests that this is a kernel limitation that only affects unprivileged use of the nft backend; you might see if using iptables-legacy is not affected by this issue?
You could also disable the network policy controller, to keep the iptables ruleset size under the cap enforced by the kernel.
from k3s.
ballj
commented on May 28, 2024
net.core as root:
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 528482304
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = fq_codel
net.core.dev_weight = 64
net.core.dev_weight_rx_bias = 1
net.core.dev_weight_tx_bias = 1
net.core.devconf_inherit_init_net = 0
net.core.fb_tunnels_only_for_init_net = 0
net.core.flow_limit_cpu_bitmap = 00
net.core.flow_limit_table_len = 4096
net.core.gro_normal_batch = 8
net.core.high_order_alloc_disable = 0
net.core.max_skb_frags = 17
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_budget_usecs = 8000
net.core.netdev_max_backlog = 1000
net.core.netdev_tstamp_prequeue = 1
net.core.netdev_unregister_timeout_secs = 10
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 4096
net.core.tstamp_allow_data = 1
net.core.warnings = 0
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 165
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
net.core as k3s user:
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = fq_codel
net.core.dev_weight = 64
net.core.dev_weight_rx_bias = 1
net.core.dev_weight_tx_bias = 1
net.core.devconf_inherit_init_net = 0
net.core.fb_tunnels_only_for_init_net = 0
net.core.flow_limit_cpu_bitmap = 00
net.core.flow_limit_table_len = 4096
net.core.gro_normal_batch = 8
net.core.high_order_alloc_disable = 0
net.core.max_skb_frags = 17
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_budget_usecs = 8000
net.core.netdev_max_backlog = 1000
net.core.netdev_tstamp_prequeue = 1
net.core.netdev_unregister_timeout_secs = 10
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 4096
net.core.tstamp_allow_data = 1
net.core.warnings = 0
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 165
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
I will give it a try with iptables-legacy later today.
from k3s.
ballj
commented on May 28, 2024
iptables-legacy looks to have helped - im leaving it a few days to know for sure.
from k3s.
brandond
commented on May 28, 2024
Closing as limitation of iptables nft backend. This could probably be added to the list of known issues with rootless k3s.
from k3s.
Related Issues (20)
- Option service-node-port-range gets ignored HOT 2
- A potential risk in k3s that could lead to takeover of the cluster HOT 2
- x509: certificate has expired or is not yet valid HOT 2
- Add support for SLE Micro 6.0
- Reducing K3s Org Equinix usage HOT 6
- flannel-v6.1 MAC address changes every boot HOT 9
- k3s node becomes unresponsive with error InvalidDiskCapacity HOT 1
- Set cri-dockerd `streaming-bind-addr` to fixed address
- ErrImagePull when using `latest` docker image tag & embedded registry in air-gapped cluster HOT 2
- K3S agent starting on Google Coral crashes the host kernel due to nf_conntrack_netlink kernel module HOT 8
- Flannel crashoff on k3s <<<rasperry pi 4 arm64 debian bookworm HOT 1
- Support containerd config_path for stargz snapshotter
- Adding incorrect flag during install results in a error which is hard to figure out what is wrong HOT 4
- K3s fails to start in a multi-network card environment with error "IPv6 was enabled but no IPv6 address was found on node" HOT 4
- K3S agent failed to join server, CA cert validation failed HOT 1
- k3s uninstall shouldn't delete k3s config.yaml HOT 1
- etcd-snapshot save ignores s3-folder param provided and saves only in s3-bucket location HOT 1
- Invalid `hosts.toml` for private registry is generated HOT 2
- etcd-snapshot save times out in 10 seconds the first try HOT 1
- ServiceLB back after auto-upgrade; k3s seems to ignore parameters from systemd unit after upgrade HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s.