https://rancher.com/ logo
Title
a

able-engineer-22050

10/07/2022, 2:44 PM
Hi, I have RKE2 v1.22.9 with rke2-canal. As the operating system supports ipset 7.15 I'm facing the issue of it not being compatible with hardened calico ipset. According to the tigera documentation, the latest image supports ipset 7.11 which is still incompatible with 7.15. As I'm not using any of the extra security features of hardened-calico (not even sure why I went with this in the first place), I would like to replace it. I've done a CNI replacement in a different cluster (EKS, replaced the stock CNI with weave), but I'm not sure what is the procedure here (if possible). Tigera documentation mentions a possible migration path from canal to calico, but does that apply here? The CNI was installed as part of the RKE2 installation. Does replacing the CNI break anything in the cluster?
b

bland-account-99790

10/07/2022, 3:11 PM
What OS are you using?
a

able-engineer-22050

10/07/2022, 3:11 PM
I'm using openSuSE microOS.
b

bland-account-99790

10/07/2022, 3:17 PM
I need to investigate this, can you point me to the tigera docs where the ipset version is mentioned?
Canal is basically using calico for network policies, which is what uses
ipset
, so migrating to Calico CNI will not help you though
what's the error you are seeing? kube-proxy is also using
ipset
and I wonder if you are also seeing problems there
a

able-engineer-22050

10/08/2022, 6:48 PM
https://projectcalico.docs.tigera.io/release-notes/ shows ipset 7.11 support. The exact error message I see in the rke2-calico logs: 2022-10-08 18:45:14.601 [INFO][31580] felix/ipsets.go 312: Retrying after an ipsets update failure... family="inet" 2022-10-08 18:45:14.602 [ERROR][31580] felix/ipsets.go 574: Bad return code from 'ipset list'. error=exit status 1 family="inet" stderr="ipset v7.1: Kernel and userspace incompatible: settype hash:ip with revision 5 not supported by userspace.\n" 2022-10-08 18:45:14.602 [WARNING][31580] felix/ipsets.go 322: Failed to resync with dataplane error=exit status 1 family="inet" This repeats endlessly. About the migration issue: I see no such messages in the calico-node pod on one of my other clusters. The above messages only appear in the one one with the rke2-canal installation.
b

bland-account-99790

10/10/2022, 7:43 AM
let me try to reproduce it
I can't reproduce it with microOS 5.2 using kernel
5.3.18
, what version and kernel do you have?
a

able-engineer-22050

10/10/2022, 8:01 AM
Thanks for the time you take on this.
worker1:/etc # cat os-release
NAME="openSUSE MicroOS"
# VERSION="20220611"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20220611"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20220611"
BUG_REPORT_URL="<https://bugs.opensuse.org>"
HOME_URL="<https://www.opensuse.org/>"
DOCUMENTATION_URL="<https://en.opensuse.org/Portal:MicroOS>"
LOGO="distributor-logo-MicroOS"
# rpm -qa | grep kernel
kernel-default-5.18.2-1.1.x86_64
b

bland-account-99790

10/10/2022, 8:27 AM
thanks, that's pretty new! Note that the OS not under the support matrix https://docs.rke2.io/install/requirements/#operating-systems
I will anyway try to get a system and reproduce the bug
a

able-engineer-22050

10/10/2022, 8:32 AM
That site does not even mention openSuSE microOS, just the SLE microOS. I failed to find how my microOS version relates to the SLE microOS
I see that there is an openSUSE Leap micro 5.2 available, which - if I understood correctly - is an openSUSE equivalent of SLE micro 5.2. SLE micro 5.1 however has no such openSUSE version. Is that correct? (I know this is an OS question, but maybe you have this information)
c

careful-piano-35019

10/10/2022, 10:18 AM
you should rather use openSUSE Leap Micro indeed
5.3 should become available soon
openSUSE MicroOS takes a similar approach to Tumbleweed, it's using a rolling release model
a

able-engineer-22050

10/10/2022, 10:30 AM
Thank. Am I correct in that Leap Micro does not have a 5.1 version?
c

careful-piano-35019

10/10/2022, 10:31 AM
no it does not, but you should stay away 5.1 which is soon EOL
correction 5.1 is EOL already
no my bad, I was reading the wrong column
5.1 EOL is 31/10/2025 & 5.2 is 30/04/2026
but Leap Micro is only built from 5.2 indeed
a

able-engineer-22050

10/10/2022, 10:51 AM
That's exactly what I wanted to ask, but you were faster