Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect br-netfilter warning on Centos 7 #23385

Closed
dogan-sky opened this issue Mar 23, 2016 · 8 comments
Closed

Incorrect br-netfilter warning on Centos 7 #23385

dogan-sky opened this issue Mar 23, 2016 · 8 comments
Labels
area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@dogan-sky
Copy link

Centos 7 official packages include linux kernel 3.10 bundled with bridge-netfilter.

This can be verified by checking the existence of the following files:

ls -l /proc/sys/net/bridge
total 0
-rw-r--r-- 1 root root 0 Mar 23 15:40 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 Mar 23 15:40 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Mar 23 15:40 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 Mar 23 16:22 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 Mar 23 16:22 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 Mar 23 16:22 bridge-nf-pass-vlan-input-dev

However, kubelet prints a warning highlighting the absence of br-netfilter:

1:58.462930   18042 proxier.go:205] missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended

This warning seems to be incorrect.

The check that triggers the warning is in Newproxier, located in proxier.go:

if _, err := os.Stat("/sys/module/br_netfilter"); os.IsNotExist(err) {
    warnBrNetfilter = true
}

Fundamentally, in the case of Centos 7, the absence of /sys/module/br_netfilter is not a proof of the absence of the br-netfilter module.
@cescoferraro
Copy link

Same issue here on CoreOS stable on digital ocean running Kubernetes v1.2 latest release

core@master ~ $ ls -l /proc/sys/net/bridge
total 0
-rw-r--r-- 1 root root 0 Mar 23 20:46 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 Mar 23 17:14 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Mar 23 17:14 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 Mar 23 20:46 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 Mar 23 20:46 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 Mar 23 20:46 bridge-nf-pass-vlan-input-dev
core@master ~ $ uname -a
Linux master 4.3.6-coreos #2 SMP Wed Mar 23 01:17:29 UTC 2016 x86_64 Intel(R) Xeon(R) CPU E5-2630L 0 @ 2.00GHz GenuineIntel GNU/Linux

@mml mml added area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node. labels Mar 24, 2016
@adidenko
Copy link

adidenko commented May 2, 2016
edited
Loading

Same on Ubuntu-14.04:

I0502 12:42:29.202324   14562 proxier.go:205] missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended

# ll /proc/sys/net/bridge/
total 0
dr-xr-xr-x 1 root root 0 Apr 26 11:03 .
dr-xr-xr-x 1 root root 0 Apr 26 11:03 ..
-rw-r--r-- 1 root root 0 May  2 12:41 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 May  2 12:41 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Apr 26 11:03 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 May  2 12:41 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 May  2 12:41 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 May  2 12:41 bridge-nf-pass-vlan-input-dev

# uname -a
Linux node-main.local.int 3.13.0-85-generic #129-Ubuntu SMP Thu Mar 17 20:50:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

# sysctl net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 1

# kubectl version
Client Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.0", GitCommit:"5cb86ee022267586db386f62781338b0483733b3", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.0", GitCommit:"5cb86ee022267586db386f62781338b0483733b3", GitTreeState:"clean"}

@thockin
Copy link
Member

thockin commented May 2, 2016

ls -l /sys/module/br_netfilter - maybe it is built-in and therefore not
listed as a module? This could perhaps just test for the sysctl and
recommend loading the module.

@freehan for convergence with CNI stuff...

Anyone have time to pitch in here, should be an easy change...

On Mon, May 2, 2016 at 5:55 AM, Alex Didenko notifications@github.com
wrote:

Same on Ubuntu-14.04:

I0502 12:42:29.202324 14562 proxier.go:205] missing br-netfilter module or
unset br-nf-call-iptables; proxy may not work as intended
ll /proc/sys/net/bridge/

total 0
dr-xr-xr-x 1 root root 0 Apr 26 11:03 .
dr-xr-xr-x 1 root root 0 Apr 26 11:03 ..
-rw-r--r-- 1 root root 0 May 2 12:41 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 May 2 12:41 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Apr 26 11:03 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 May 2 12:41 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 May 2 12:41 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 May 2 12:41 bridge-nf-pass-vlan-input-dev

Linux node-main.local.int 3.13.0-85-generic #129
#129 SMP Thu Mar
17 20:50:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
sysctl net.bridge.bridge-nf-call-iptables

net.bridge.bridge-nf-call-iptables = 1
kubectl version

Client Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.0",
GitCommit:"5cb86ee022267586db386f62781338b0483733b3", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.0",
GitCommit:"5cb86ee022267586db386f62781338b0483733b3", GitTreeState:"clean"}


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#23385 (comment)

@xulis
Copy link

xulis commented May 3, 2016
edited
Loading

Configuration option is not "m", this is not a module.

#cat /etc/redhat-release                
CentOS Linux release 7.1.1503 (Core) 
#uname -r
3.10.0-229.el7.x86_64
#grep CONFIG_BRIDGE_NETFILTER /boot/config-3.10.0-229.el7.x86_64   
CONFIG_BRIDGE_NETFILTER=y

@errordeveloper
Copy link
Member

Also happens on Docker for Mac, and it's got this:

docker:~# cat /proc/sys/net/bridge/bridge-nf-call-iptables
1
docker:~# zcat /proc/config.gz | grep CONFIG_BRIDGE_NETFILTER
CONFIG_BRIDGE_NETFILTER=y
docker:~# uname -r
4.4.6-moby

@ZhangZhenhua ZhangZhenhua mentioned this issue Jun 3, 2016
Closed
@becile
Copy link

becile commented Jun 23, 2016

how to check kube-proxy policy(namespace、iptables) which kubernetes used right now? thank you

@thockin thockin mentioned this issue Jul 3, 2016
Merged
k8s-github-robot pushed a commit that referenced this issue Jul 7, 2016
Merge pull request #28434 from thockin/br-netfilter-warning
3895ced 
Automatic merge from submit-queue

Remove br_netfilter warning in kube-proxy

Many distros have this module linked in, generating a spurious error.

Fixes #23385
@jwerak
Copy link

jwerak commented Aug 10, 2016

Can this also result in fall backing into userspace even when --proxy-mode=iptables is used?

@antoineco
Copy link
Contributor

antoineco commented Sep 12, 2016
edited
Loading

@becile when kube-proxy starts it should log something like server.go:202] Using iptables Proxier.

@veverjak not if proxy-mode is set explicitely to iptables.

@namliz namliz mentioned this issue Sep 16, 2016
Closed
@wasaga wasaga mentioned this issue Sep 28, 2017
Merged
@murali-reddy murali-reddy mentioned this issue Nov 20, 2017
Closed
@gambol99 gambol99 mentioned this issue Feb 8, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@mml @errordeveloper @jwerak @becile @antoineco @xulis @thockin @adidenko @cescoferraro @dogan-sky