Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
b
big-jordan-45387
01/12/2023, 6:50 PMhi, I am trying to create a new cluster in rancher using rke2 (I am very new to rancher), deployment fails because cattler-cluster-agent can't resolve the rancher server dns. I kept digging into this and I found this error in calico:
2023-01-12 18:18:10.939 [INFO][148571] felix/ipsets.go 309: Retrying after an ipsets update failure... family="inet"
2023-01-12 18:18:10.941 [INFO][148571] felix/ipsets.go 779: Doing full IP set rewrite family="inet" numMembersInPendingReplace=1 setID="all-ipam-pools"
2023-01-12 18:18:10.941 [INFO][148571] felix/ipsets.go 779: Doing full IP set rewrite family="inet" numMembersInPendingReplace=1 setID="masq-ipam-pools"
2023-01-12 18:18:10.941 [INFO][148571] felix/ipsets.go 779: Doing full IP set rewrite family="inet" numMembersInPendingReplace=6 setID="this-host"
2023-01-12 18:18:10.941 [INFO][148571] felix/ipsets.go 779: Doing full IP set rewrite family="inet" numMembersInPendingReplace=0 setID="all-vxlan-net"
2023-01-12 18:18:10.943 [WARNING][148571] felix/ipsets.go 713: Failed to complete ipset restore, IP sets may be out-of-sync. closeErr=<nil> commitErr=<nil> family="inet" flushErr=<nil> input="create cali40all-ipam-pools hash:net family inet maxelem 1048576\ncreate cali4t32 hash:net family inet maxelem 1048576\nadd cali4t32 10.42.0.0/16\nswap cali40all-ipam-pools cali4t32\ndestroy cali4t32\ncreate cali40masq-ipam-pools hash:net family inet maxelem 1048576\ncreate cali4t33 hash:net family inet maxelem 1048576\nadd cali4t33 10.42.0.0/16\nswap cali40masq-ipam-pools cali4t33\ndestroy cali4t33\ncreate cali40this-host hash:ip family inet maxelem 1048576\ncreate cali4t34 hash:ip family inet maxelem 1048576\nadd cali4t34 127.0.0.0\nadd cali4t34 127.0.0.1\nadd cali4t34 10.100.32.62\nadd cali4t34 148.187.113.235\nadd cali4t34 172.17.0.1\nadd cali4t34 10.42.224.64\nswap cali40this-host cali4t34\ndestroy cali4t34\ncreate cali40all-vxlan-net hash:net family inet maxelem 1048576\ncreate cali4t35 hash:net family inet maxelem 1048576\nswap cali40all-vxlan-net cali4t35\ndestroy cali4t35\nCOMMIT\n" processErr=exit status 1 stderr="ipset v7.11: Error in line 1: Kernel error received: set type not supported\n" stdout="" writeErr=<nil>
2023-01-12 18:18:10.943 [WARNING][148571] felix/ipsets.go 340: Failed to update IP sets. Marking dataplane for resync. error=exit status 1 family="inet"Not sure this is relevant...
nid003207:~ # ipset
ipset v6.36: No command specified.
Try `ipset help' for more information.c
creamy-pencil-82913
01/12/2023, 7:22 PMLooks like your kernel is too old?Kernel error received: set type not supported
b
big-jordan-45387
01/12/2023, 7:22 PMit is suse enterprise 15.3
but yeah I am checking if I can update ipset to 7.11 or so
c
creamy-pencil-82913
01/12/2023, 7:22 PMits not the ipset binary thats the problem
as it says, the kernel doesn’t support the set type that calico wants to use
either that or you’re missing kernel modules, not sure which
can you
modprobe xt_setb
big-jordan-45387
01/12/2023, 7:25 PMI think so, at leat it does not compalin
c
creamy-pencil-82913
01/12/2023, 7:25 PMdoes that fix the error?
b
big-jordan-45387
01/12/2023, 7:25 PMlet me check
should I kill the calico pod?
c
creamy-pencil-82913
01/12/2023, 7:26 PMsure
b
big-jordan-45387
01/12/2023, 7:27 PMsame error
c
creamy-pencil-82913
01/12/2023, 7:28 PMinteresting
what kernel version are you on?
We test on SLES 15.3 and 15.4 and have not run into that issue
b
big-jordan-45387
01/12/2023, 7:29 PMnid003207:~ # uname -r
5.3.18-150300.59.68_11.0.76-cray_shasta_cppl from calico are saying I should update the ipset in my kernel to match the one calico expects
c
creamy-pencil-82913
01/12/2023, 7:31 PMthat looks like a custom kernel
I suspect that whoever built it didn’t enable all the correct ipset options
If you’re running a custom kernel that’s on you (or your sysadmin) to ensure that it has all the same bits as the default SLES kernel, otherwise things will break
b
big-jordan-45387
01/12/2023, 7:33 PMyeah
true
c
creamy-pencil-82913
01/12/2023, 7:38 PMyou might see if canal fares any better but I suspect you’ll run into the same problem
b
big-jordan-45387
01/12/2023, 7:39 PMmmm I tried cilium and had the same issue, but yeah I can try canal also
first I am trying to update the ipset and see if I get things working
c
creamy-pencil-82913
01/12/2023, 7:40 PMits really the kernel and not the binary…
b
big-jordan-45387
01/12/2023, 10:08 PMwith canal works
it is weird because is also shows the same error message
so this tells me the issues is not with ipset when using calico
ipset 7.17 requires kernel >= 3.11 https://ipset.netfilter.org/install.html so my kernel should be ok to run calico
c
creamy-pencil-82913
01/12/2023, 11:51 PMright but there are different ipset hash algs and set types, the ipset binary and kernel have to both support the ones that the CNI is trying to use.
the error suggests that the ipset command is OK with it, but the kernel is not
b
big-jordan-45387
01/12/2023, 11:55 PMok, let me keep investigating
its is weird canal works however it uses an older version of calico which uses ipset6