https://rancher.com/ logo
Title
p

prehistoric-judge-25958

11/06/2022, 10:33 PM
Hi, I am seeing some aux/iptables errors when check the K3s config
k3s check-config
what does these errors exactly mean should is solve this and if so how? I am running k3s on Debian 11 bullseye with 3 masters (etcd).
root:# k3s check-config

Verifying binaries in /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin:
- sha256sum: good
- links: aux/ip6tables should link to iptables-detect.sh (fail)
- links: aux/ip6tables-restore should link to iptables-detect.sh (fail)
- links: aux/ip6tables-save should link to iptables-detect.sh (fail)
- links: aux/iptables should link to iptables-detect.sh (fail)
- links: aux/iptables-restore should link to iptables-detect.sh (fail)
- links: aux/iptables-save should link to iptables-detect.sh (fail)
....
STATUS: 6 (fail)
p

prehistoric-judge-25958

11/07/2022, 6:16 PM
Thanks, but in the docs I read its for "Debian Buster" I am running Debian Bullseye
n

nutritious-tomato-14686

11/07/2022, 6:17 PM
What version of the iptables do you have though? It applies to every OS that is running version 1.8.0-1.8.4
p

prehistoric-judge-25958

11/07/2022, 6:24 PM
I did a clean installation of Debian 11 and looks like there is no iptables packages installed at all.
which iptables
gives me no result. Is Iptables required for K3s?
n

nutritious-tomato-14686

11/07/2022, 6:56 PM
Then you are fine, K3s bundles its own version of iptables, its just using that
We typically expect the host to have some version of iptables, and k3s defaults to using the host binary. That's why we have those checks in the
k3s check-config
p

prehistoric-judge-25958

11/07/2022, 6:58 PM
Ok thanks! so then I just ignore these 6 FAIL messages
n

nutritious-tomato-14686

11/07/2022, 7:25 PM
Yeah you can ignore those 6 FAILS. If you want to see all the iptables rules that k3s makes, you can always use
sudo /var/lib/rancher/k3s/data/current/bin/aux/iptables -L
. This would be a good thing to improve IMO about the k3s check-config. I think a warning about "k3s is using embedded iptables" would be better than 6 FAILS.
­čĹŹ 1