This message was deleted.
# rke2
a
This message was deleted.
p
With
profile: cis-1.23
added to my
config.yaml
, the
systemctl restart rke2-server
fails. I feel like I need to add a NetworkPolicy, but now I can’t find the documentation I found that in….
r
If restart fails, then it's probably turned on. There are 2-4 commands you'll have to run on some of your nodes to get things to work with CIS profile enabled. They were in the install docs for it and as I recall the logs gave hints. Don't remember the specifics any more, though.
p
Hmm…okay. Will re-check the install docs. I’ve been following docs.rke2.io/security/hardening_guide and I think I’ve done everything there… Thanks!
r
I'd check the logs. It should point to the problem, and instead of it being forgetting the OS things, it might be telling you that something with the initial etcd is wrong. The main thing I recall is if you start with the CIS profile then any misconfiguration from the profile will cause it to error out and not start.
So the logs might show you that you can turn it on after install time, but it might never work as it might require certain things created in a certain way.
p
Yeah, the logs make it seem like either etcd is not starting or things can’t talk to it…
r
Did you check the static pod logs for etcd?
If you aren't familiar with how to get crictl to work to do that sort of thing, https://gist.github.com/superseb/3b78f47989e0dbc1295486c186e944bf gives the rundown on what you need to do.
👍 1
p
Thanks! That’s super helpful. New to rke2 (from rke)
r
I was pretty excited when one of the Rancher folks pointed me to that on debugging something a while ago.
p
Thanks! I think it was just bad etcd perms. I think I had not set up my etcd user correctly.
c
you can also just look at stuff under /var/log/pods, often times that’s way easier than poking about with crictl
👍 1