Add additional kernel config checks for NETFILTER_XT_MATCH_COMMENT and
NETFILTER_XT_MATCH_MULTIPORT as they are both required to run k3s.
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
Problem:
A false-negative in check-config.sh for cgroups v2 systems was fixed but the
commit introduced a regression based on a small assumption that content of
/sys/fs/cgroup/cgroup.controllers would have the same format as the content
of /proc/self/cgroup. It doesn't.
Solution:
This just tweaks the regex to count occurrences of either cgroup
subsystem-names on each line (as occurs in the sysfs pseudo-file), or those
names with colons either side (as occurs in the procfs pseudo-file).
Signed-off-by: Rowan Thorpe <rowan@rowanthorpe.com>
Problem:
In check-config.sh assumptions are made about cgroups v1/v2/hybrid,
causes false-negative on pure V2 system.
Solution:
In check-config.sh implement the same validation as found in
./pkg/agent/run.go -> validate(), validateCgroupsV1(), validateCgroupsV2()
[ which use containerd/cgroups:utils.go -> Mode() ]
Signed-off-by: Rowan Thorpe <rowan@rowanthorpe.com>
When k3s is installed on an OS with default high ulimits, performance
issues can be observed. This was discovered on CoreOS where the default
value is 1073741816. Symptoms include very slow file operations such
as installing a Rook/Ceph cluster will take ~6 hours instead of ~10 minutes.
A google search for 'container LimitNOFILE' will show that most major
projects set this already, including the (unused) containerd systemd unit
found in this repository at /vendor/github.com/containerd/containerd/containerd.service
k3OS is not affected becuasse the default there is already 1048576.
See description in coreos/fedora-coreos-tracker#329
There are some issues and quirks in the markdown documentation files
suggested by the markdownlint project checker that might benefit from
being fixed, which this patch does.
Change-Id: I33245825e5bb543b5ce1732204984d4a0b169668
Signed-off-by: Joakim Roubert <joakimr@axis.com>
Sometimes https://127.0.0.1:6443 can be written in the conf, the regexp does
not account for that.
Signed-off-by: Julien DOCHE <julien.doche@gmail.com>
If the ip_set kernel module is not available we should warn
that the network policy controller can not start rather than
cause a fatal error.
Also adds module probing and config checks for ip_set.
- Setting IPv4 & IPv6 forwarding
- Setting `sysctl:net.bridge.bridge-nf-call-iptables` and `bridge-nf-call-ip6tables` to enabled since it is disabled by default on some CentOS systems