7.7. Troubleshooting the K3s Configuration Checker

After installing K3s [2], you may optionally run the K3s configuration checker k3s check-config [3] (see Checking the K3s Configuration). This configuration checker runs through a more extensive series of tests, covering "required", "generally necessary", and "optional" system aspects needed by K3s.

Some failures, especially in "optional" aspects, may not actually prevent the cluster from working normally, in the limited ways the LOCKSS system uses Kubernetes. Some of the error messages you might encounter are documented below, but you may need to refer to the official K3s documentation or use a search engine to look up a specific error message.

7.7.1. iptables should be older than v1.8.0, newer than v1.8.3, or in legacy mode

In some instances, you may encounter an error message similar to the following:

/usr/sbin iptables v1.8.2 (nf_tables): should be older than v1.8.0, newer than v1.8.3, or in legacy mode (fail)

In previous versions of K3s, this error message was also sometimes phrased as should be older than v1.8.0 or in legacy mode.

The install-lockss script should detect this situation and offer to switch iptables to legacy mode via Alternatives (see Troubleshooting iptables). If the error above occurs:

• Verify that the Configuring iptables for K3s phase of install-lockss was not skipped.

• Verify that, if applicable, the proposed iptables configuration changes in the Configuring iptables for K3s phase of install-lockss were not bypassed.

• Using the Troubleshooting iptables section as reference, verify that the remediation attempted by install-lockss has taken effect.

• Search the K3s issues database for issues related to k3s check-config, iptables and your operating system.

7.7.2. User namespaces disabled

In some RHEL 7 and CentOS 7 systems, you may receive the following error message:

RHEL7/CentOS7: User namespaces disabled; add 'user_namespace.enable=1' to boot command line (fail)

To resolve this issue, see Enabling User Namespaces in RHEL 7 and CentOS 7.

7.7.3. apparmor enabled but apparmor_parser missing

In some systems where Apparmor is enabled, you may receive the following error:

apparmor: enabled, but apparmor_parser missing (fail)

To resolve this issue, see Installing apparmor_parser.

7.7.4. cgroup hierarchy nonexistent

In some Arch Linux, Debian and Fedora systems, you may see the following error message:

cgroup hierarchy: nonexistent?? (fail)

K3s supports cgroup2 but k3s check-config version 1.21.5+k3s1 (used in LOCKSS 2.0-alpha5) does not process this condition correctly. This warning can be ignored.

7.7.5. links: aux/iptables should link to iptables-detect.sh

In some Fedora and OpenSUSE systems, you may encounter six related error messages like the following:

links: aux/ip6tables should link to iptables-detect.sh (fail)
links: aux/ip6tables-restore should link to iptables-detect.sh (fail)
links: aux/ip6tables-save should link to iptables-detect.sh (fail)
links: aux/iptables should link to iptables-detect.sh (fail)
links: aux/iptables-restore should link to iptables-detect.sh (fail)
links: aux/iptables-save should link to iptables-detect.sh (fail)

This is due to a bug in k3s check-config [6], triggered in environments where there is no iptables system package installed. This warning can be ignored.

7.7.6. swap should be disabled

This warning can be ignored:

swap: should be disabled

7.7.7. CONFIG_INET_XFRM_MODE_TRANSPORT missing

This warning can be ignored:

CONFIG_INET_XFRM_MODE_TRANSPORT: missing

---

Footnotes

[1]

See Running the LOCKSS Installer.

[2]

See Installing K3s.

[3]

See Checking the K3s Configuration.

[4]

References:

• https://github.com/k3s-io/k3s/issues/2946

[5]

References:

• https://fortuitousengineer.com/installing-kubernetes-k3s-on-centos-rhel-hosts/

[6]

Reference:

• https://github.com/k3s-io/k3s/issues/4066

  • https://github.com/k3s-io/k3s/issues/4066#issuecomment-925137706

[7]

See Running Commands as root.