Channels
#k3s
- c
creamy-waiter-66684
09/29/2022, 6:16 PMHello team! I'm investigating k3s as a potential solution for storing a large amount of configuration information for various service teams in my organization. We're considering using Custom Resource Definitions (CRDs) in the API server. K8s was not viable due to the 8GB limit etcd imposes. While the external database feature of k3s solves the size limit, I noticed while inserting a large number of very large Customer Resources (CRs), the k3s server begins to eat a large amount of the systems RAM. I'm inserting around 1 million of these large CRs on an EC2 instance with over 128GB of RAM. At around 140,000 objects inserted, the k3s server is eating over 70% of the systems RAM. Is this intended? I assume k3s server is caching the inserted objects? Is there anyway to alleviate the large amount of memory usage? Even after stopping the insertions, the RAM utilization still sits around 60 or 70 percent (goes does 20-30% from peak).c- 2
- 11
- m
melodic-hamburger-23329
09/30/2022, 7:34 AMContainerd still fails to boot after manual k3s upgrade… Any way to avoid this happening?Copy code
Kind of impossible to do upgrades if need to basically recreate cluster every time :S Am I possibly doing something wrong? Steps: • download latest k3s binary and put to /usr/local/bin • systemctl stop k3s (or k3s-killall.sh; not sure which one recommended?) • systemctl start k3s (or rerun install script; same result)time="2022-09-30T16:30:47.729342645+09:00" level=fatal msg="failed to create new snapshotter" error="failed to restore remote snapshot: failed to prepare remote snapshot: sha256:08b10ee4e4d584086d7203095776335fc5f3a541402bb19e89e908096b30df2e: failed to resolve layer: failed to resolve layer \"sha256:a42e3d1ba15a55b32c4b95cd3486aab3103d7b685b471ce68130d718c16b4e88\" from \"...\": failed to resolve the blob: failed to resolve the source: cannot resolve layer: failed to redirect (host \"...\", ref:\"...\", digest:\"sha256:a42e3d1ba15a55b32c4b95cd3486aab3103d7b685b471ce68130d718c16b4e88\"): failed to access to the registry with code 404: failed to resolve: failed to resolve target"cb- 3
- 16
- m
melodic-hamburger-23329
09/30/2022, 8:04 AMWhere can I find definition of /etc/rancher/k3s/config.yaml? Particularly, it seems disable syntax is ambiguous.Copy code
ordisable: - "etcd"Copy code
https://rancher.com/docs/k3s/latest/en/installation/disable-flags/ https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/disable-etcd: truec- 2
- 10
- c
clever-air-65544
09/30/2022, 4:50 PMWeekly report o'clock! https://github.com/k3s-io/k3s/discussions/6202👍 4 - e
elegant-article-67113
10/01/2022, 4:03 PMAre there any recommended CNI optimizations to avoid getting out of order UDP packets? They always show up in order on bare metal, but can get messed up in containers (this is just on a LAN with a single switch). - e
eager-cartoon-94692
10/01/2022, 11:39 PMHi all, sorry if this isn't the place to ask a k3d specific question, but it seemed like the best option. Here it goes: Is there a way to specify a cacert that I create to be used for mutual TLS authentication?c- 2
- 4
- p
prehistoric-diamond-4224
10/03/2022, 10:31 AMHi there! I cordoned, drained, upgraded the resources of a worker node and restarted it, but k3s still doesn't schedule pods on the upgraded node, whenever i restart some workload they are still assigned to one of the other smaller nodes. To force-schedule pods to the new node I have to cordon all the other ones and delete some pods, only then after some time they are re-scheduled to the under-utilized node, but every time they are restarted they are placed on the other smaller nodes. So now I have one of my nodes sitting at 91% RAM and another at 30%. Apparently resource requests are not affecting the scheduling. Any idea of what could be happening? - g
green-energy-38738
10/03/2022, 2:15 PM1. any one runs k3s on docker ?r- 2
- 1
- c
chilly-telephone-51989
10/03/2022, 2:37 PMwhen i have images in a custom registry i have to tag the image and also refer to this custom repo in my yaml files for instance image: 172.16.0.25000/myapp0.3 is there a way to not specify the registry server and k3s by default looks to that address? so it becomes image: myapp:0.3kq- 3
- 2
- b
bright-jordan-61721
10/03/2022, 3:28 PMRecently built a k3s cluster with version
and I have some pods configured withv1.24.6+k3s1
(which is the default) and noticing weird DNS resolution problems. When I shell into a pod with this dns policy anddnsPolicy: ClusterFirst
this is what I see:cat /etc/resolv.confCopy code
I believe ndots:5 is causing the problem, asbash-5.1# cat /etc/resolv.conf search default.svc.cluster.local svc.cluster.local cluster.local [home search domains redacted] nameserver 10.43.0.10 options ndots:5
fails due to dns resolution, butping <http://github.com|github.com>
works instead. Why is k3s setting the ndots:5 option by default? I’m not setting this with the pod’s dnsConfig at all. If this option were removed or reduced to ndots:1 it would likely solve my issue.ping <http://github.com|github.com>.bk- 3
- 14
- p
prehistoric-judge-25958
10/03/2022, 5:59 PMHi, i have setup a private registry (harbor) inside my k3s cluster. I have pushed images succesfully to this registry and now i want to pull images from the registry. When i put this yaml config below in
my node become in a NotReady state after "systemcl restart k3s"/etc/rancher/k3s/registries.yamlCopy code
I am using self-signed certificates for my k8s.lan domain and put them in the directory /etc/rancher/k3s/certs/ describe node k3s-master-01 output:mirrors: harbor.k8s.lan: endpoint: - "<https://harbor.k8s.lan:443>" configs: "harbor.k8s.lan:443": tls: cert_file: /etc/rancher/k3s/certs/cert.pem key_file: /etc/rancher/k3s/certs/cert-key.pem ca_file: /etc/rancher/k3s/certs/k8s-lan.crt insecure_skip_verify: "true"Copy codeNormal Starting 23m kubelet Starting kubelet. Warning InvalidDiskCapacity 23m kubelet invalid capacity 0 on image filesystem Normal NodeAllocatableEnforced 23m kubelet Updated Node Allocatable limit across pods Normal NodeHasSufficientMemory 23m (x2 over 23m) kubelet Node k3s-master-01 status is now: NodeHasSufficientMemory Normal NodeHasNoDiskPressure 23m (x2 over 23m) kubelet Node k3s-master-01 status is now: NodeHasNoDiskPressure Normal NodeHasSufficientPID 23m (x2 over 23m) kubelet Node k3s-master-01 status is now: NodeHasSufficientPID Normal NodeReady 23m kubelet Node k3s-master-01 status is now: NodeReady Normal NodeNotReady 20m (x3 over 63m) node-controller Node k3s-master-01 status is now: NodeNotReady✅ 1c- 2
- 7
- l
late-needle-80860
10/04/2022, 2:04 PMI’m looking into adding
to an already running cluster ( server/control-plane side of course). Is that possible or do one need to redeploy the cluster anew? The reason for this is that I’m see--egress-selector-mode=disabled
when e.g. running thefailed: error dialing backend: EOF
provided by theconnectivity testCilium
. When I tried introducing it to a running test cluster I’m getting the infamouscli
…. Is other there a workaround to get this in on a live/already running cluster? Thank you very muchfailed to validate server configuration critical configuration value mismatchc- 2
- 2
- a
adamant-waiter-35487
10/05/2022, 8:30 AMIn k3s HA with embedded db, is it possible to have server and agent on the same node? The quick start command (
) installs both server and agent, but the tutorial on embedded ha ask us to start server on 3 nodes, and then join agent later. I am not sure if this means I need 3 nodes just for ha control plan, and need more nodes to behave as agent (worker) node?curl -sfL <https://get.k3s.io> | sh -c- 2
- 3
- l
late-needle-80860
10/05/2022, 6:23 PMI managed to get the
set on the--egress-selector-mode=disabled
of X K3s cluster I have running - on v1.24.4+k3s1. However, when running theservers
command for thecilium connectivity test …Cilium
I know get the following err:CNI
- troubleshooting that err leads me to: • https://github.com/opencontainers/runc/pull/3554 • and this release: https://github.com/opencontainers/runc/releases/tag/v1.1.4 Whatunable to start container process: open /dev/pts/0: operation not permitted: unknown
release is that part of - if any?K3sg- 2
- 5
- q
quiet-chef-27276
10/06/2022, 1:55 AMCross-posting as I don't seem to be able to delete the original - probably should have been posted here.le- 3
- 6
- l
late-needle-80860
10/07/2022, 8:05 AMI was wondering - after having used
on nodes in a cluster. What is one not getting? What’s the downside? In the docs it says:--egress-selector-mode=disabledCopy code
So sounds fine to me. I wasn’t disabling the agent onThe apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs.
anyway. So not loosing anything there. Are there any downsides or considerations one should have? Thank you very muchserversc- 2
- 6
- l
late-needle-80860
10/07/2022, 10:40 AMSomeone on here having experience with the joining of K3s worker nodes in cordoned fashion … for different reasons we wish that X joining
node joins cordoned in order to different processes to complete in due time before regular workloads starts piling in on the newworker
. Some of these processes might be/are: • the configuration ofworker
for a private self-hosted registry • Longhorn bootstrapping … and storage space setup … which needs to be fully up and ready before potential persistent storage needing regular workloads starts appearingcontainerdc- 2
- 14
- h
handsome-painter-48813
10/07/2022, 10:48 AMHello, I upgraded debian from 10 to 11 and I can't start k3s server:Copy code
k3s check-config:failed to find cpuset cgroup (v2)Copy code
I already setGenerally Necessary: - cgroup hierarchy: cgroups V2 mounted, cpu|cpuset|memory controllers status: bad (fail) (for cgroups V1/Hybrid on non-Systemd init see <https://github.com/tianon/cgroupfs-mount>) - /usr/sbin/apparmor_parser apparmor: enabled and tools installedCopy code
And it does not work 😕GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"lc- 3
- 10
- c
clever-air-65544
10/07/2022, 4:45 PMk3s weekly is up! https://github.com/k3s-io/k3s/discussions/6229👀 2👍 2 - r
red-boots-23091
10/08/2022, 11:50 AMHey all, I have a cluster that i created on a docker install within v2.5.7. I have used this for testing for around 1 year now. However at the end of August I started getting problems with it (kubectl connection refused and various crash loops). I cant seem to resolve these. I assume it is to do with updates I made to my server packages. Long story short I am trying to upgrade my Rancher server. However no matter what I do I cant reliably connect to rancher UI and when I can i still have trouble with kubectl. I am running on Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-125-generic x86_64). Docker Engine Version: 20.10.12 and I am trying to spin up rancher v2.6.8. These are my server logs https://pastebin.com/cDgYiJCb. Does anyone have any guidancec- 2
- 20
- e
enough-carpet-20915
10/08/2022, 5:58 PMI've replaced 3 of my k3s nodes. They have new IPs but the same names as before. I'm now getting this error:Copy code
I tried doingError from server: error dialing backend: x509: certificate is valid for 127.0.0.1, 45.x.x.x, 2a02:c206:xxxx:xxxx::1, not 38.x.x.x
(from https://github.com/k3s-io/k3s/wiki/K3s-Cert-Rotation) which seems to have rotated certs, but I'm still getting the same error.k3s certificate rotatec- 2
- 27
- e
enough-carpet-20915
10/08/2022, 6:56 PMIt doesn't look like it actually changed the certs. - e
enough-carpet-20915
10/08/2022, 6:56 PMCopy codeadmin@marge:~$ sudo k3s certificate rotate INFO[0000] Server detected, rotating server certificates INFO[0000] Rotating certificates for admin service INFO[0000] Rotating certificates for etcd service INFO[0000] Rotating certificates for api-server service INFO[0000] Rotating certificates for controller-manager service INFO[0000] Rotating certificates for cloud-controller service INFO[0000] Rotating certificates for scheduler service INFO[0000] Rotating certificates for k3s-server service INFO[0000] Rotating dynamic listener certificate INFO[0000] Rotating certificates for k3s-controller service INFO[0000] Rotating certificates for auth-proxy service INFO[0000] Rotating certificates for kubelet service INFO[0000] Rotating certificates for kube-proxy service INFO[0000] Successfully backed up certificates for all services to path /var/lib/rancher/k3s/server/tls-1665255335, please restart k3s server or agent to rotate certificates admin@marge:~$ sudo diff -sr /var/lib/rancher/k3s/server/tls /var/lib/rancher/k3s/server/tls-1665255335/ | grep -i identical | awk '{print $2}' | xargs basename -a | awk 'BEGIN{print "Identical Files: "}; {print $1}' Identical Files: client-ca.crt client-ca.key dynamic-cert.json peer-ca.crt peer-ca.key server-ca.crt server-ca.key request-header-ca.crt request-header-ca.key server-ca.crt server-ca.key service.key apiserver-loopback-client__.crt apiserver-loopback-client__.keyc- 2
- 4
- g
gifted-branch-26934
10/10/2022, 12:12 PMhello guys, i have an app deployed in k8s with 2 replicas, the problem is each time i increase the number of replicas, the new replica is directly marked as available and operating. but the real thing that is happening that at the startup it builds a model that takes about 5 mins. for this issue i want the traffic to be routed to the first replica that has been operating for long time, and once the new replica builds the model, then i need to make it receive traffic as well. any idea how to do that?a- 2
- 8
- a
average-arm-20932
10/11/2022, 6:36 PMHello Team, During the scanning I found 'weak SSL ciphers', in k3s server, I'm using K3S version 'v1.21.1+k3s1'. I found an official WEB-URL to fix the issue and seems it is for 'Rancher-manager', but do we have any fix for K3S. For Rancher-Manager. https://www.suse.com/c/resolve-cipher-and-ssl-threats-security-scans/ Thanks & Regards.c- 2
- 9
- f
famous-flag-15098
10/12/2022, 3:38 PMI have a few questions regarding multi-master k3s. I currently have a 6 node home cluster that currently has 2 etcd/masters. When I setup the second master I used the K3S_URL of the first master. Now I would like to turn the original master into an agent node, and then turn two of the existing agents into masters. How should I approach this?b- 2
- 2
- f
famous-flag-15098
10/12/2022, 3:38 PMI am especially wondering about how the K3S_URL works.b- 2
- 2
- b
billowy-bird-32869
10/13/2022, 9:40 AMHello. I am using K3D for K3S and I would like to parametrize from the command line (or even as a variable) the value of a chart manifest used with the autodeploy feature. More explicitly, I have created a HelmChart resource in
and in that resource, I have used spec.set to change the value of some property. The value to the property is delivered via an environment variable at the moment as I cannot think of any other way after looking at the options from k3s. Would someone have an idea, how I could parametrize my chart or if the way I have done it is correct, how do I supply the value. Thanks. Sample:/var/lib/rancher/k3s/server/manifests/Copy codespec: helmVersion: v3 repo: <https://charts.gitlab.io> chart: gitlab-runner targetNamespace: gitlab-runners set: runners.tags: "$my_tag" - s
stale-vegetable-37217
10/13/2022, 1:52 PMHi, Can someone help me out? I am trying to run a k3s for the first time behind a corporate proxy. The proxy allows the use of ipv4 as well as ipv6 but on different hostnames. After installing awx on the 1 node cluster and checking with kubectl logs I get an proxyconnect tcp error code 503. The full error is printed below. The ipv6 address printed is the one from the server, and port 6443 is running. It seems that k3s is trying to connect to localhost using the proxy (which is not needed). NO_PROXY var is also set. Anyone has an idea as to why that is happening? Full error: 'Error from server: Get "https//[2a02xxxxx]:10250/containerLogs/awx/awx-operator-controller-manager-fcf6db67c-h9s9q/awx-manager?follow=true": proxyconnect tcp: proxy error from [:1]6443 while dialing proxy.xxx.be:8080, code 503: 503 Service Unavailable'c- 2
- 2