k3s-ansible icon indicating copy to clipboard operation
k3s-ansible copied to clipboard

Published 20 hours ago verified publisher icon k3s-io

Raspberry Pi OS Bullseye iptables no longer used by default

Open Gashmore1 opened this issue 2 years ago • 5 comments

iptables is no longer the default firewall for Raspberry Pi OS from Bullseye and onwards and is now nftables. Causing errors on flushing the iptables in roles/raspberrypi/tasks/prereq/Raspbian.yml I think it should be a simple change to fix but my ansible expereince is near to non so I don't know how to go about it.

Gashmore1 avatar Dec 09 '21 18:12 Gashmore1

Just now testing this out, and I'm experiencing the same. Technically one could install legacy iptables on Bullseye, but there's really no need for these steps anymore if running Debian 11 / Raspberry Pi OS Bullseye.

geerlingguy avatar Jan 11 '22 05:01 geerlingguy

+1 I am also hitting this issue.

@geerlingguy are you saying all iptables-related steps can simply be skipped when running on bullseye?

gsaslis avatar Jan 18 '22 21:01 gsaslis

@gsaslis - Yep, exactly!

geerlingguy avatar Jan 18 '22 22:01 geerlingguy

Thanks for your comments @geerlingguy , so this means that for setting up k3s on Raspberry, iptables need to be installed and the following command can also be skipped?

sudo iptables -F sudo update-alternatives --set iptables /usr/sbin/iptables-legacy sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

mshiyamsam avatar Jul 26 '22 05:07 mshiyamsam

@mshiyamsam correct, you don't need to install iptables package and perform that configuration. I tested it recently on RPI4 Raspbian Lite x64 Bullseye running v1.24.3+k3s1. Tested service behind default traefik ingress as well as used MetalLB to use LoadBalancer.

maroskukan avatar Aug 25 '22 17:08 maroskukan

Unfortunately, the iptables version included for Debian 11 (subsequently Raspberry Pi OS) is v1.8.7 which contains a known bug that causes performance issues with K3s. See https://docs.k3s.io/advanced#old-iptables-versions for more info.

In newer versions of K3s, the flag --prefer-bundled-bin exists, which forces K3s to utilizes it own version of iptables that it ships with (which is at a minimum, iptables v1.8.8+). So if your still on Older Pi OS/Debian versions, use that if you want to utilize nftables backend.

Additionally, I will note that if no iptables is installed on a node (Such as newer vanilla debian), K3s will again utilize the iptables that is ships with. So we don't really need the iptables to be installed anyways, regardless of OS.

However, Debian 12 (Bookworm) has access to iptables v1.8.9, and so can correctly be used by K3s. I will have a PR open soon that will not apply the alternatives for this newer OS version.

dereknola avatar Nov 10 '23 20:11 dereknola