rancher-users #rke2

shy-megabyte-75492

09/22/2022, 7:09 PM

Trying to do a graceful shutdown of my bare metal nodes. When running the rke2 killall script on each node, then I shutoff. When I turn them back on, the cluster is back up but the rook ceph pods are very unhappy. I found a GitHub issue but it hasn’t been updated in a while. Any help?

swift-zebra-42479

09/23/2022, 5:58 AM

Good after is any tools to rotate the Containerd logs on RKE2 or RKE2 are provided inbuild tool to rotate the contianerd logs ?,Please suggest me if any

abundant-yak-72647

09/25/2022, 4:30 AM

How to create terraform module for onprem baremetal servers to have rke @here #rke2

tall-doctor-28108

09/26/2022, 1:04 PM

I saw that there are different versions and branches for the RKE2 install.sh script: https://github.com/rancher/rke2/blob/release-1.21/install.sh Do I have to use the script from the branch of my current k8s version, or can I just use the latest script from the master branch for all versions?

enough-toddler-31145

09/26/2022, 1:16 PM

Hey everyone! So I have a unique scenario and use case for rke2. I am using it for government compliance and to give people the warm and fuzzies on moving over to k8s. I started to deploy my VMs using terraform with RHEL8_STIG base image. From their I having ansible deploy rke2 and bootstrap rke2. The issue I have been running into so far is certificates. So far the first server will be bootstrapped and running however the other server nodes cannot connect due to

remote error: tls: bad certificate "remote error: tls: bad certificate"

and I messed with my config a little bit and restarted the bootstrapped server to now get the following error:

Copy code

E0926 13:03:06.509286 1306356 leaderelection.go:325] error retrieving resource lock kube-system/rke2: Get <https://127.0.0.1:6443/api/v1/namespaces/kube-system/configmaps/rke2>: dial tcp 127.0.0.1:6443: connect: connection refused

running a curl against this gives the following output:

Copy code

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: <https://curl.haxx.se/docs/sslcerts.html>

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Then running a curl and ignore certificates provides this output:

Copy code

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}

Has anyone ran into any trouble with rke2-server certificates and specifically on hardened RHEL8 boxes?? Thanks!

bulky-glass-61156

09/26/2022, 6:52 PM

Hi, Not sure this is the right channel but I am looking to talk to someone from RKE2 sales team as our team would like to explore options for support. Any contact would be great!! Thanks!

shy-zebra-53074

09/27/2022, 3:40 PM

hey all! quick q, wondering why I’m not able to install

1.22.15

even though I’m being very explicit in all of my config options

shy-zebra-53074

09/27/2022, 3:40 PM

Copy code

curl -sfL <https://get.rke2.io> | INSTALL_RKE2_TYPE="server" INSTALL_RKE2_VERSION="v1.22.15+rke2r1" INSTALL_RKE2_CHANNEL="v1.22" INSTALL_RKE2_CHANNEL_URL="<https://update.rke2.io/v1-release/channels>" sudo -E sh -
[INFO]  using stable RPM repositories
[INFO]  using 1.22 series from channel stable
Rancher RKE2 Common (v1.22)                                                                                                                                                                                                                                  9.7 kB/s | 2.9 kB     00:00    
Rancher RKE2 1.22 (v1.22)                                                                                                                                                                                                                                     13 kB/s | 2.9 kB     00:00    
No match for argument: rke2-server-1.22.15~rke2r1
Error: Unable to find a match: rke2-server-1.22.15~rke2r1

shy-zebra-53074

09/27/2022, 3:41 PM

ah, I see I can only specify

latest

stable

and

testing

shy-zebra-53074

09/27/2022, 3:43 PM

ok so through trial / error

1.22.13

worked but not

1.22.14

1.22.15

shy-zebra-53074

09/27/2022, 3:43 PM

What’s the best way to identify the latest stable patch version of a minor version?

bright-whale-83501

09/28/2022, 6:23 PM

are there any solution to the system upgrade controller continuously trying to upgrade exe-files like kubelet.exe on and on?

broad-petabyte-50341

09/28/2022, 8:52 PM

Hey all, quick question, after upgrading from rke2

1.22.6

1.22.13

with my CNI set to

cilium

I'm getting failures with some of my pods making connections to postgres. The pods in question are in the same namespace, I'm able to connect to the database manually, the pods have the correct creds but they can't connect and I'm not getting a helpful error message. Reverting to 1.22.6 fixes the issue.

high-winter-92040

09/29/2022, 11:07 AM

QQ: any word on whether RKE2 is getting support from SuSE going forwards? or is RKE the preferred base?

shy-zebra-53074

09/29/2022, 3:31 PM

I’ve been dealing with this issue for months now, does anyone else have issues with

fapolicyd

continuing to block

runc

even though it’s been allowed as a rule AND added to the trust database??

shy-zebra-53074

09/29/2022, 3:33 PM

For example:

Copy code

[root@ip-192-168-96-10 ~]# cat /etc/fapolicyd/rules.d/01-app.rules 
# uids
%uuids=0,1000

# Run RKE2
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/
allow perm=any all : dir=/var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc

shy-zebra-53074

09/29/2022, 3:34 PM

Copy code

[root@ip-192-168-96-10 ~]# cat /etc/fapolicyd/trust.d/app 
# AUTOGENERATED FILE VERSION 2
# This file contains a list of trusted files
#
#  FULL PATH        SIZE                             SHA256
# /home/user/my-ls 157984 61a9960bf7d255a85811f4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87
/usr/bin/unzip 206704 299d6bae8ec58c76e087f8516cb6be438db2481bbab9b2b61a6c6a5c206a27f3
/var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc 11068888 b3276789a9b735b758e6292ce469192c9ef77514bf7fa3b3fef77d631a4e4ee3

shy-zebra-53074

09/29/2022, 3:34 PM

Copy code

[root@ip-192-168-96-10 ~]# sha256sum /var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc
b3276789a9b735b758e6292ce469192c9ef77514bf7fa3b3fef77d631a4e4ee3  /var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc

shy-zebra-53074

09/29/2022, 3:35 PM

Copy code

[root@ip-192-168-96-10 ~]# ausearch -m fanotify --raw | aureport --file --summary
File Summary Report
===========================
total  file
===========================
609  /var/lib/rancher/rke2/data/v1.22.6-rke2r1-e6c1502b55cd/bin/runc

shy-zebra-53074

09/29/2022, 4:21 PM

Also this: https://github.com/rancher/rke2/issues/2848

kind-air-74358

09/30/2022, 1:10 PM

Hi, What is your opinion on the best way to create an infrastructure consisting of a network, some VM’s and RKE2 installed on top? For the network and VM part I like using Terraform, but one downside is that Terraform is not that great to install and configure software on a VM. So how do you handle this? I see some different kind of solutions possible; 1. Create a golden image using, for example Packer, and use this image to deploy the OS and RKE2 on the VM. Even possible with something like cloud-init to provision specific configuration for RKE2. Downside is that I have to create a new image for each new RKE2 / OS version I want to use. Resulting in an update of my infrastructure (using Terraform). 2. After creating the VM, using Ansible (or some other procedural configuration management tool) to install and configure RKE2. Updates with Terraform are then probably a bit more tricky as Ansible doesn’t use desired state (so how to figure out which parts Terraform have to update) 3. Same as 2. but instead of using Ansible make use of a declarative tool like SaltStack. Downside on this is, that you have to provide an additional infrastructure for running SaltSack (or run this master-less), and still need to register the VM’s in Salt (or auto-approve / approve via grains?) What would you suggest? Or am I missing some other options?

sparse-fireman-14239

10/03/2022, 11:20 AM

I’ve gone through the documentation for RKE2, Googled and still haven’t found a way to gracefully shutdown an RKE2 node. systemctl stop rke2-server (or agent) doesn’t seem to work, regardless of which version I’ve tried (1.22.x & 1.23.x)

shy-zebra-53074

10/03/2022, 6:00 PM

Hey all! Just in case anyone is trying to get RKE2 working with

fapolicyd

here’s a thread I had that resolved my issue: https://github.com/linux-application-whitelisting/fapolicyd/issues/205

ancient-air-32350

10/03/2022, 8:19 PM

hi! i’m just playing with rke2 on vsphere in my lab and wondering if there is some equivalent of rke1 node templates in rke2 ? It’s really hard, when trying to new things to always fill in the complete machine-pool-config. I hoped that i could copy everything as yaml from try to try, but it seems that the machine pool config is not even show in yaml view ?

little-actor-95014

10/03/2022, 8:57 PM

Anyone else seeing Calico's ServiceAccoun token expire and breaking spawning containers with

"plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized"

since upgrading to

v1.24.6+rke2r1

from a 1.23 release? I assume it's something to do with the change to service account configs in 1.24 with

LegacyServiceAccountTokenNoAutoGeneration

going to enabled by default?

boundless-dog-9864

10/05/2022, 1:52 PM

How does the default nginx ingress controller become available on ports 80 and 443 on worker nodes? I was under the impression it uses a node port service but I can’t find that so looks like I am wrong.

able-engineer-22050

10/05/2022, 6:06 PM

Hi, I have a couple of rke2 clusters deployed from Rancher not created with authorized cluster endpoint enabled. Can I somehow enable this after creation? I found a stackoverflow question regarding this (https://stackoverflow.com/questions/72778753/how-to-add-an-authorised-cluster-endpoint-to-a-rke2-cluster-created-by-rancher) Is that to be performed only on one of the masters (I mean the webhook definition) and it is automatically synced across all masters? Is it /var/lib/rancher/rke2 where the webhook yaml is to be created or rather the server/manifests under it?

great-flag-38820

10/06/2022, 4:59 AM

Hi guys, do I need to create node templates for RKE2 clusters? The docs seem to say so, but I was under the impression they were only required for RKE1 - https://docs.ranchermanager.rancher.io/how-to-guides/new-user-guides/kubernetes-clusters-in-[…]ider/vsphere/provision-kubernetes-clusters-in-vsphere

famous-energy-13283

10/06/2022, 6:12 PM

Anyone have seen that after upgrading RKE2 to 1.25.0? error getting ClusterInformation: connection is unauthorized On some occasions, I'm seeing that on describing a pod that does not goes beyond the ContainerCreating phase. The weird thing is that rebooting the node fixes the issue, until it happens again. Never saw that before the upgrade (I was on 1.24.something before)

future-monitor-61871

10/06/2022, 6:53 PM

We're on 1.23.7 and looking to upgrade to 1.25.2. We've got the CIS 1.6 flag turned on and having read the changes in the CIS benchmarks for 1.24+ I'm wondering if anyone has done a similar upgrade via the automated upgrade controller. Is that recomended/supported for hardened clusters?