Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
a
able-engineer-22050
10/07/2022, 2:44 PMHi, I have RKE2 v1.22.9 with rke2-canal. As the operating system supports ipset 7.15 I'm facing the issue of it not being compatible with hardened calico ipset. According to the tigera documentation, the latest image supports ipset 7.11 which is still incompatible with 7.15.
As I'm not using any of the extra security features of hardened-calico (not even sure why I went with this in the first place), I would like to replace it.
I've done a CNI replacement in a different cluster (EKS, replaced the stock CNI with weave), but I'm not sure what is the procedure here (if possible). Tigera documentation mentions a possible migration path from canal to calico, but does that apply here?
The CNI was installed as part of the RKE2 installation. Does replacing the CNI break anything in the cluster?
b
bland-account-99790
10/07/2022, 3:11 PMWhat OS are you using?
a
able-engineer-22050
10/07/2022, 3:11 PMI'm using openSuSE microOS.
b
bland-account-99790
10/07/2022, 3:17 PMI need to investigate this, can you point me to the tigera docs where the ipset version is mentioned?
Canal is basically using calico for network policies, which is what uses
ipsetwhat's the error you are seeing? kube-proxy is also using
ipseta
able-engineer-22050
10/08/2022, 6:48 PMhttps://projectcalico.docs.tigera.io/release-notes/ shows ipset 7.11 support.
The exact error message I see in the rke2-calico logs:
2022-10-08 18:45:14.601 [INFO][31580] felix/ipsets.go 312: Retrying after an ipsets update failure... family="inet"
2022-10-08 18:45:14.602 [ERROR][31580] felix/ipsets.go 574: Bad return code from 'ipset list'. error=exit status 1 family="inet" stderr="ipset v7.1: Kernel and userspace incompatible: settype hash:ip with revision 5 not supported by userspace.\n"
2022-10-08 18:45:14.602 [WARNING][31580] felix/ipsets.go 322: Failed to resync with dataplane error=exit status 1 family="inet"
This repeats endlessly.
About the migration issue: I see no such messages in the calico-node pod on one of my other clusters. The above messages only appear in the one one with the rke2-canal installation.
b
bland-account-99790
10/10/2022, 7:43 AMlet me try to reproduce it
I can't reproduce it with microOS 5.2 using kernel
5.3.18a
able-engineer-22050
10/10/2022, 8:01 AMThanks for the time you take on this.
worker1:/etc # cat os-releaseNAME="openSUSE MicroOS"# VERSION="20220611"ID="opensuse-microos"ID_LIKE="suse opensuse opensuse-tumbleweed"VERSION_ID="20220611"PRETTY_NAME="openSUSE MicroOS"ANSI_COLOR="0;32"CPE_NAME="cpe:/o:opensuse:microos:20220611"BUG_REPORT_URL="<https://bugs.opensuse.org>"HOME_URL="<https://www.opensuse.org/>"DOCUMENTATION_URL="<https://en.opensuse.org/Portal:MicroOS>"LOGO="distributor-logo-MicroOS"# rpm -qa | grep kernelkernel-default-5.18.2-1.1.x86_64b
bland-account-99790
10/10/2022, 8:27 AMthanks, that's pretty new! Note that the OS not under the support matrix https://docs.rke2.io/install/requirements/#operating-systems
I will anyway try to get a system and reproduce the bug
a
able-engineer-22050
10/10/2022, 8:32 AMThat site does not even mention openSuSE microOS, just the SLE microOS. I failed to find how my microOS version relates to the SLE microOS
I see that there is an openSUSE Leap micro 5.2 available, which - if I understood correctly - is an openSUSE equivalent of SLE micro 5.2.
SLE micro 5.1 however has no such openSUSE version. Is that correct? (I know this is an OS question, but maybe you have this information)
c
careful-piano-35019
10/10/2022, 10:18 AMyou should rather use openSUSE Leap Micro indeed
5.3 should become available soon
openSUSE MicroOS takes a similar approach to Tumbleweed, it's using a rolling release model
a
able-engineer-22050
10/10/2022, 10:30 AMThank. Am I correct in that Leap Micro does not have a 5.1 version?
c
careful-piano-35019
10/10/2022, 10:31 AMno it does not, but you should stay away 5.1 which is soon EOL
correction 5.1 is EOL already
no my bad, I was reading the wrong column
5.1 EOL is 31/10/2025 & 5.2 is 30/04/2026
but Leap Micro is only built from 5.2 indeed
a
able-engineer-22050
10/10/2022, 10:51 AMThat's exactly what I wanted to ask, but you were faster