7.2. Troubleshooting iptables

This section provides troubleshooting information for the Configuring iptables for K3s phase of Running the LOCKSS Installer.

7.2.1. Switch iptables to legacy mode via Alternatives

K3s 1.21.5+k3s1 (the version used by LOCKSS 2.0-alpha5) does not always work with iptables version 1.8.0-1.8.3 when run via Alternatives but not in legacy mode, for instance in some Debian or Ubuntu systems 1. If install-lockss detects this situation, you will see a warning message and the following prompt 2:

Switch iptables to legacy mode via Alternatives?

Enter Y to accept the proposed iptables configuration. If you bypass the proposed configuration, K3s may malfunction.

The remediation attempted by install-lockss is equivalent to:

# Required only if ufw is active
ufw disable

# Required
update-alternatives --set iptables /usr/sbin/iptables-legacy

# Required
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

# Optional
update-alternatives --set arptables /usr/sbin/arptables-legacy

# Optional
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

# Required only if ufw was active
ufw enable

7.2.2. Post-Installation Changes to iptables

If your system did not initially need an adjustment for iptables at the time K3s was installed, but later does (for example because iptables is upgraded from a pre-1.8.0 version to version 1.8.0 or later), run this command (relative to the LOCKSS Installer Directory) as a privileged user who can become root via sudo 3:

scripts/install-lockss --configure-iptables

This will run only the Configuring iptables for K3s phase of install-lockss.

---

Footnotes

1

References:

• https://rancher.com/docs/k3s/latest/en/known-issues/

• https://github.com/kubernetes/kubernetes/issues/71305

• https://github.com/k3s-io/k3s/issues/116

  • https://github.com/k3s-io/k3s/issues/116#issuecomment-624770403

• https://github.com/k3s-io/k3s/issues/703

2

See Configuring iptables for K3s.

3

See Running Commands as a Privileged User.