Kubeadm: improve kubeadm preflight message for bridge-nf-call-iptables

Created on 17 Jun 2017  ·  11Comments  ·  Source: kubernetes/kubeadm

Is this a BUG REPORT or FEATURE REQUEST?

A request for improvement of documentation/UX experience

Versions

kubeadm version (use kubeadm version):
kubeadm version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.5", GitCommit:"490c6f13df1cb6612e0993c4c14f2ff90f8cdbf3", GitTreeState:"clean", BuildDate:"2017-06-14T20:03:38Z", GoVersion:"go1.7.6", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Kubernetes version (use kubectl version):
    Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.5", GitCommit:"490c6f13df1cb6612e0993c4c14f2ff90f8cdbf3", GitTreeState:"clean", BuildDate:"2017-06-14T20:15:53Z", GoVersion:"go1.7.6", Compiler:"gc", Platform:"linux/amd64"}
    The connection to the server localhost:8080 was refused - did you specify the right host or port?

  • Cloud provider or hardware configuration:
    VirtualBox VM with 2GB RAM

  • OS (e.g. from /etc/os-release):
    NAME="CentOS Linux"
    VERSION="7 (Core)"
    ID="centos"
    ID_LIKE="rhel fedora"
    VERSION_ID="7"
    PRETTY_NAME="CentOS Linux 7 (Core)"
    ANSI_COLOR="0;31"
    CPE_NAME="cpe:/o:centos:centos:7"
    HOME_URL="https://www.centos.org/"
    BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

  • Kernel (e.g. uname -a):
    Linux localhost.localdomain 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

  • Others:
    Environment created using vagrant/VirtualBox and with following Vagrantfile:

Vagrant.configure("2") do |config|
  config.vm.box = "centos/7"

  config.vbguest.no_install = true
  config.vm.box_check_update = false
  config.vm.provider "virtualbox" do |vb|
     # Display the VirtualBox GUI when booting the machine
     vb.gui = false
     vb.memory = "2048"
     vb.cpus = "2"
     vb.linked_clone = true if Vagrant::VERSION =~ /^1.8/
  end
end

What happened?

kubeadm init preflight fails with following output:

[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.6.6
[init] Using Authorization mode: RBAC
[preflight] Running pre-flight checks
[preflight] Some fatal errors occurred:
    /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
[preflight] If you know what you are doing, you can skip pre-flight checks with `--skip-preflight-checks`

What you expected to happen?

kubeadm init preflight to provide a more "user friendly" message that helps users to identify fix the problem; additionally, it could be useful to move some point from https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#limitations to https://kubernetes.io/docs/setup/independent/install-kubeadm/

How to reproduce it (as minimally and precisely as possible)?

Use Vagrant/VirtualBox and the vagrant file provided above

Anything else we need to know?

link to lprefligh check in code base
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/preflight/checks.go#L502

problem detected investigating #308

picture fabriziopandini

Most helpful comment

I had this issue as well, if you want a quick fix, provision your boxes with the following command:

echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables

Basically you need to set your ip tables in CentOS (and other redhat family OSs I assume?)

picture mrichins on 19 Jun 2017
👍15

All 11 comments

I had this issue as well, if you want a quick fix, provision your boxes with the following command:

echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables

Basically you need to set your ip tables in CentOS (and other redhat family OSs I assume?)

mrichins picture mrichins on 19 Jun 2017
👍15

This is documented here: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#limitations

Having kubeadm deal with these OS specifics would certainly be interesting but might increase the scope of the tool too much right now.

gtirloni picture gtirloni on 21 Jun 2017

@gtirloni. Many thanks for pointing this out.
Changed the Issue in order from bug to request to improve the UX experience/improve the documentation

fabriziopandini picture fabriziopandini on 21 Jun 2017

@fabriziopandini Feel free to improve the preflight checks

luxas picture luxas on 21 Jun 2017

Now the documentation describes this case as well.

fabriziopandini picture fabriziopandini on 8 Oct 2017

Thanks!

luxas picture luxas on 9 Oct 2017

I was installing kubeadm on virtualbox vm (centos7). (install instructions: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ )
I was unable to do it. landed here. a short fix was mentioned in comments above 

echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables

unfortunately, it didnt work in my case. It gave 'no such file or directory'.
correct fix is mentioned here
Thanks,

amit-handa picture amit-handa on 11 Apr 2018
👍7

@amit-handa which Linux distribution are you running?

EDIT: Never mind, just noticed it's CentOS 7. I spin up a Vagrant box here and can reproduce that.

gtirloni picture gtirloni on 24 Apr 2018
👍1

I was installing kubeadm on virtualbox vm (centos7). (install instructions: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ )
I was unable to do it. landed here. a short fix was mentioned in comments above

echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables

unfortunately, it didnt work in my case. It gave 'no such file or directory'.
correct fix is mentioned here
Thanks,

To make it persistent it is better to change the sysctl configuration.
For example in Centos 7 you have to change /usr/lib/sysctl.d/00-system.conf file according to:

# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Enable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
paolopal picture paolopal on 15 Oct 2018
👍9

unfortunately, it didnt work in my case. It gave 'no such file or directory'.
correct fix is mentioned here
Thanks,

In case the link isn't available in the future, it was a matter of enabling the bridge-netfilter with:

modprobe br_netfilter
myhro picture myhro on 25 Jan 2020
👍4

In my case:
OS=CentOS_7
kubeadm=1.19.0

What fixed this issue was setting the contents of /usr/lib/sysctl.d/00-system.conf to: 

# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.ipv4.ip_forward                 = 1

run: sysctl --system

BINGO!
DISCO!

A better solution is to override the values in the /etc/sysctl.d/00-system.conf file vs updating /usr/lib/sysctl.d/00-system.conf directly.

le-garden-fox picture le-garden-fox on 30 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

danderson picture danderson  ·  3Comments
andersla picture andersla  ·  4Comments
RakeshNagarajan picture RakeshNagarajan  ·  4Comments
chuckha picture chuckha  ·  3Comments
ep4eg picture ep4eg  ·  3Comments