Add additional kernel config checks for NETFILTER_XT_MATCH_COMMENT and
NETFILTER_XT_MATCH_MULTIPORT as they are both required to run k3s.
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
Problem:
A false-negative in check-config.sh for cgroups v2 systems was fixed but the
commit introduced a regression based on a small assumption that content of
/sys/fs/cgroup/cgroup.controllers would have the same format as the content
of /proc/self/cgroup. It doesn't.
Solution:
This just tweaks the regex to count occurrences of either cgroup
subsystem-names on each line (as occurs in the sysfs pseudo-file), or those
names with colons either side (as occurs in the procfs pseudo-file).
Signed-off-by: Rowan Thorpe <rowan@rowanthorpe.com>
Problem:
In check-config.sh assumptions are made about cgroups v1/v2/hybrid,
causes false-negative on pure V2 system.
Solution:
In check-config.sh implement the same validation as found in
./pkg/agent/run.go -> validate(), validateCgroupsV1(), validateCgroupsV2()
[ which use containerd/cgroups:utils.go -> Mode() ]
Signed-off-by: Rowan Thorpe <rowan@rowanthorpe.com>
If the ip_set kernel module is not available we should warn
that the network policy controller can not start rather than
cause a fatal error.
Also adds module probing and config checks for ip_set.