Bridge-nf-call-iptables and swap error on LXD with kubeadm

hsbawa · July 6, 2018, 6:28pm

Following errors are when I am trying to run kubeadm on LXD. Thoughts on possible resolutions?

FileContent–proc-sys-net-bridge-bridge-nf-call-iptables: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist"
- Kernel modules do exist on the LXD but not getting loaded. Docker info also shows disabled
- modprobe br_netfilter
- I don’t see this error/message on host machine
- sysctl net.bridge.bridge-nf-call-iptables=1 (not working)
Swap: running with swap on is not supported. Please disable swap", "I0705 19:07:52.856559 22735 kernel_validator.go:81]
- swapoff -a does not workon LXD. Not sure if it meant to work or not. Thoughts?
- Though I use can use fail on swap option but looking for option to disable swap on LXD

hsbawa · July 7, 2018, 3:41am

issue exists

stgraber · July 7, 2018, 6:13pm

Swap can’t be enabled/disabled on a per-container basis as it’s a global kernel resource.
LXD lets you configure the swappiness (likelyhood of getting swapped) on a per-container basis through the limits.memory options, but that won’t make the swap disappear.

For the br_netfilter module, you need to load it from the host or by setting it as a linux.kernel_modules property on the container. This should have it show up in the container, if not, then it’s unfortunately a kernel bug. In which case you may want to try a more recent kernel to see if that has since gotten fixed.

If not, @sforshee or @tyhicks may be able to look into why the netfilter bridge files aren’t properly tied to the network namespace.

hsbawa · July 7, 2018, 6:43pm

Hi @stgraber . I have setup Linux kernel modules in profile used by containers (see profile config snippet below).

config {
     boot.autostart ="true"
     linux.kernel_modules = "bridge,br_netfilter,x_tables,ip_tables,ip_vs,ip_set,ipip,xt_mark,xt_multiport,ip_tunnel,tunnel4,netlink_diag,nf_conntrack,nfnetlink,overlay"
     raw.lxc= "lxc.apparmor.profile = unconfined\nlxc.cgroup.devices.allow = a\nlxc.mount.auto=proc:rw sys:rw cgroup:rw\nlxc.cap.drop =

For the br_netfilter module, how can I load it from host? I know that module is working fine on host. Should I be using devices: section for the same? (update: still does not work, I tried path map in device section in addition with lxc.mount.auto=proc:rw)

On swap, I can try turn it off on host machine. (update: works with host’s swap off)

Thanks

hsbawa · July 8, 2018, 5:27am

Finally I was able to get kubeadm working. Don’t ask me what I did, but I am sure one of the permutations and combination worked