Comments (6)
The (sendmsg() failed: Message too large iptables-restore: line 692 failed)
makes me suspect that there is a buffer size sysctl that is too small within your user namespace. Can you provide the output of sysctl -a
from within the k3s rootless namespace?
from k3s.
Filtered out the veth interfaces using the following: grep -v 'conf.veth'
.
from k3s.
I don't see any of the net.core
sysctls in your output? Those control most of the socket memory limits.
The difference in log message is due to our bundled iptables binaries being newer than the ones on your host, which improves error logging - see this change:
https://git.netfilter.org/iptables/commit/?id=a3e81c62e8c5abb4158f1f66df6bbcffd1b33240
The comment at https://serverfault.com/questions/1143773/lxc-container-fail-to-load-big-iptables-rules#comment1492057_1143773 suggests that this is a kernel limitation that only affects unprivileged use of the nft backend; you might see if using iptables-legacy is not affected by this issue?
You could also disable the network policy controller, to keep the iptables ruleset size under the cap enforced by the kernel.
from k3s.
net.core as root:
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 528482304
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = fq_codel
net.core.dev_weight = 64
net.core.dev_weight_rx_bias = 1
net.core.dev_weight_tx_bias = 1
net.core.devconf_inherit_init_net = 0
net.core.fb_tunnels_only_for_init_net = 0
net.core.flow_limit_cpu_bitmap = 00
net.core.flow_limit_table_len = 4096
net.core.gro_normal_batch = 8
net.core.high_order_alloc_disable = 0
net.core.max_skb_frags = 17
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_budget_usecs = 8000
net.core.netdev_max_backlog = 1000
net.core.netdev_tstamp_prequeue = 1
net.core.netdev_unregister_timeout_secs = 10
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 4096
net.core.tstamp_allow_data = 1
net.core.warnings = 0
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 165
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
net.core as k3s user:
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = fq_codel
net.core.dev_weight = 64
net.core.dev_weight_rx_bias = 1
net.core.dev_weight_tx_bias = 1
net.core.devconf_inherit_init_net = 0
net.core.fb_tunnels_only_for_init_net = 0
net.core.flow_limit_cpu_bitmap = 00
net.core.flow_limit_table_len = 4096
net.core.gro_normal_batch = 8
net.core.high_order_alloc_disable = 0
net.core.max_skb_frags = 17
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_budget_usecs = 8000
net.core.netdev_max_backlog = 1000
net.core.netdev_tstamp_prequeue = 1
net.core.netdev_unregister_timeout_secs = 10
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 4096
net.core.tstamp_allow_data = 1
net.core.warnings = 0
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 165
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
I will give it a try with iptables-legacy later today.
from k3s.
iptables-legacy looks to have helped - im leaving it a few days to know for sure.
from k3s.
Closing as limitation of iptables nft backend. This could probably be added to the list of known issues with rootless k3s.
from k3s.
Related Issues (20)
- [Bug] Changes made to /etc/init.d/k3s are not saved on server re-boot HOT 1
- [Release-1.29] - MySQL + Kine Conformance Checks Fail
- [Release-1.28] - MySQL + Kine Conformance Checks Fail
- [Release-1.27] - MySQL + Kine Conformance Checks Fail
- [Release-1.29] - Validate resolv.conf for presence of nameserver entries
- [Release-1.28] - Validate resolv.conf for presence of nameserver entries
- [Release-1.27] - Validate resolv.conf for presence of nameserver entries
- [Release-1.29] - missing kernel config check
- [Release-1.28] - missing kernel config check
- [Release-1.27] - missing kernel config check
- [Release-1.29] - Auto-Deploying Manifests ignores symlinked directories
- [Release-1.28] - Auto-Deploying Manifests ignores symlinked directories
- [Release-1.27] - Auto-Deploying Manifests ignores symlinked directories
- [Release-1.29] - Embedded helm controller does not track owner references properly
- [Release-1.28] - Embedded helm controller does not track owner references properly
- [Release-1.27] - Embedded helm controller does not track owner references properly
- Request to upgrade to kube-router upstream HOT 2
- nfs-client-provisioner can't mount nfs server when k3s config '--prefer-bundled-bin' HOT 4
- Installation is broken HOT 3
- Air gapped images are deleted after eviction from DiskPressure HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s.