https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rke2
a
This message was deleted.
r
I don't remember if you can update, but I do remember when I used the CIS profile that it refused to start three or four times giving an error for items that I didn't have set right for CIS profile (which could be found in 
journalctl -u rke2-server
).
g
Rgr, thanks - what I’m seeing is that the 
install-cni
container is failing, saying it cannot reach the containerd.sock. No idea why, checked file perms, etc. In the 
rke2-server
logs the fatal error is that it cannot create netpols in kube-system, but I presume this is because the cni isn’t running.
r
That seems odd. I'd think that the CNI would already be installed if it was an existing cluster.
g
we’ve built a new base ami so it’s trying to start up and join the cluster
r
So the server nodes are fine? If those restarted with a couple of failures that you need to change some file permissions & whatnot then it probably worked, but if you didn't pre-emptively do a few things like that and restarted with no changes then it probably didn't take and the new client is probably failing with expecting the server to be stricter when it's not.
g
Rgr. We did the actions listed for creating the etcd user and the sysctl kernel settings. I think we’re going to run a cis baseline tool against the image and see if anything comes up that we missed
r
Well, good luck. If you want to verify if the settings went through you could also stop RKE2 on a node, deliberately break one of the settings, then start it and see if it continues or bombs with an error.
g
ok
so, also, maybe I should clarify - we have server nodes up and running already without the 
cis
profile, then the new server node that is trying to join has the profile enabled. Our plan was to swap them out one by one. Is that gonna work or is there another preferred method?
r
I don't know about preferred method, but I wouldn't expect a server node with CIS enabled to be able to join a cluster with it disabled. You might be able to turn it on one at a time on existing servers or shut all the servers off and turn it on and turn them back on one at a time, but I would be surprised if you could join one attempting to enforce. Maybe someone from Rancher will pipe in with clarification.
(I only quickly tested a little a year ago)
g
right. yeah that sounds right to me. we may be going about this in the wrong way. maybe we’ll just try to stand up a small test cluster to verify the images are good. thanks!
👍 1
p
Hi @glamorous-byte-20543, Do you have any updates on this? I want to existing cluster from no profile to 
profile: cis-1.6
. I have a 5 node cluster. Do we need to update the cis profile on every node one at a time and then restart the rke2 service?
g
Yeah - actually that’s basically what we did. Edit the config and restart.
p
@glamorous-byte-20543 Just to confirm - Stop the rke2 service on all the nodes, update the cluster config and restart all the nodes. Is this correct?
g
you should be able to do it one by one
just make sure the node rejoins the cluster and comes ready
p
Understood! Thanks!
Open in Slack
PreviousNext
Powered by