k3s-ansible
k3s-ansible copied to clipboard
Raspberry Pi OS Bullseye iptables no longer used by default
iptables is no longer the default firewall for Raspberry Pi OS from Bullseye and onwards and is now nftables. Causing errors on flushing the iptables in roles/raspberrypi/tasks/prereq/Raspbian.yml I think it should be a simple change to fix but my ansible expereince is near to non so I don't know how to go about it.
Just now testing this out, and I'm experiencing the same. Technically one could install legacy iptables on Bullseye, but there's really no need for these steps anymore if running Debian 11 / Raspberry Pi OS Bullseye.
+1 I am also hitting this issue.
@geerlingguy are you saying all iptables-related steps can simply be skipped when running on bullseye?
@gsaslis - Yep, exactly!
Thanks for your comments @geerlingguy , so this means that for setting up k3s on Raspberry, iptables need to be installed and the following command can also be skipped?
sudo iptables -F sudo update-alternatives --set iptables /usr/sbin/iptables-legacy sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
@mshiyamsam correct, you don't need to install iptables package and perform that configuration. I tested it recently on RPI4 Raspbian Lite x64 Bullseye running v1.24.3+k3s1
. Tested service behind default traefik ingress as well as used MetalLB to use LoadBalancer
.
Unfortunately, the iptables version included for Debian 11 (subsequently Raspberry Pi OS) is v1.8.7 which contains a known bug that causes performance issues with K3s. See https://docs.k3s.io/advanced#old-iptables-versions for more info.
In newer versions of K3s, the flag --prefer-bundled-bin
exists, which forces K3s to utilizes it own version of iptables that it ships with (which is at a minimum, iptables v1.8.8+). So if your still on Older Pi OS/Debian versions, use that if you want to utilize nftables backend.
Additionally, I will note that if no iptables is installed on a node (Such as newer vanilla debian), K3s will again utilize the iptables that is ships with. So we don't really need the iptables to be installed anyways, regardless of OS.
However, Debian 12 (Bookworm) has access to iptables v1.8.9, and so can correctly be used by K3s. I will have a PR open soon that will not apply the alternatives for this newer OS version.