From d27db3e8e8ad17e0a048833cac75a0ffd4ca4b5e Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Wed, 11 Oct 2023 10:31:24 +0200 Subject: [PATCH 1/4] Added KB, which describes the problem of unreachability of the Harvester VIP from the VMs created within Harvester itself with the workaround. --- ...n_harvester_cannot_access_harvester_vip.md | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md diff --git a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md new file mode 100644 index 00000000..16b19238 --- /dev/null +++ b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md @@ -0,0 +1,78 @@ +--- +title: VMs within Harvester cannot access Harvester VIP for HTTP and HTTPS +description: How to allow the VMs created in Harvester to reach the Harvester VIP via HTTP/HTTPS +slug: vms_within_harvester_cannot_access_harvester_vip +authors: + - name: Giovanni Lo Vecchio + title: Rancher Kubernetes Engineer - Emerging Products + url: https://github.com/glovecchi0 + image_url: https://github.com/glovecchi0.png +tags: [harvester, network, configuration-as-code] +hide_table_of_contents: false +--- + +## Environment +Harvester 1.2.x and lower. + +## Situation +It may happen that the VMs started in Harvester fail to connect to the Harvester VIP (Virtual-IP) itself. +The same happens if integrated with Rancher; the VM cannot connect to the VIP Rancher uses as Ingress. + +While the [issue](https://github.com/harvester/harvester/issues/3960) is being worked on, a workaround has been implemented. + +## Resolution +Change the `net.bridge.bridge-nf-call-iptables` parameter from 1 to 0. + +To update Harvester configurations, you must first update the runtime value in the system and then update configuration files to make the changes persistent between reboots. +Refer [here](https://docs.harvesterhci.io/v1.2/install/update-harvester-configuration/#configuration-persistence). + + +In this specific case, the steps to follow are: + +1. Set the variable `net.bridge.bridge-nf-call-iptables` to zero directly on the nodes. + +``` +sysctl -w net.bridge.bridge-nf-call-iptables=0 +``` + +2. Backup the elemental `cloud-init` file `/oem/90_custom.yaml`. + +``` +cp /oem/90_custom.yaml /oem/install/90_custom.yaml.$(date --iso-8601=minutes) +``` + +3. Edit `/oem/90_custom.yaml` and update the yaml path **.stages.initramfs[0].files**. + +CONTROL PLANE NODES -> +``` + - path: /etc/systemd/system/rke2-server.service.d/bridge.conf + permissions: 448 + owner: 0 + group: 0 + content: | + [Service] + ExecStartPost=/sbin/sysctl -w net.bridge.bridge-nf-call-iptables=0 + encoding: "" + ownerstring: "" +``` + +WORKER NODES -> +``` + - path: /etc/systemd/system/rke2-agent.service.d/bridge.conf + permissions: 448 + owner: 0 + group: 0 + content: | + [Service] + ExecStartPost=/sbin/sysctl -w net.bridge.bridge-nf-call-iptables=0 + encoding: "" + ownerstring: "" +``` + +4. Turn the nodes off and on again. + +5. Verify that the configuration was applied correctly. + +``` +sudo sysctl -a | grep net.bridge.bridge-nf-call-iptables +``` From d33efb357eafadcc05a266da14c023da4aba2f0a Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Wed, 11 Oct 2023 10:33:26 +0200 Subject: [PATCH 2/4] Fix format --- .../vms_within_harvester_cannot_access_harvester_vip.md | 1 + 1 file changed, 1 insertion(+) diff --git a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md index 16b19238..825d9441 100644 --- a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md +++ b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md @@ -24,6 +24,7 @@ While the [issue](https://github.com/harvester/harvester/issues/3960) is being w Change the `net.bridge.bridge-nf-call-iptables` parameter from 1 to 0. To update Harvester configurations, you must first update the runtime value in the system and then update configuration files to make the changes persistent between reboots. + Refer [here](https://docs.harvesterhci.io/v1.2/install/update-harvester-configuration/#configuration-persistence). From c5a93255fcd6974d4bbe9c2c49876ecd13d2f08f Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Wed, 11 Oct 2023 10:33:58 +0200 Subject: [PATCH 3/4] Fix format --- .../vms_within_harvester_cannot_access_harvester_vip.md | 1 + 1 file changed, 1 insertion(+) diff --git a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md index 825d9441..30e4a033 100644 --- a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md +++ b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md @@ -28,6 +28,7 @@ To update Harvester configurations, you must first update the runtime value in t Refer [here](https://docs.harvesterhci.io/v1.2/install/update-harvester-configuration/#configuration-persistence). + In this specific case, the steps to follow are: 1. Set the variable `net.bridge.bridge-nf-call-iptables` to zero directly on the nodes. From d299e40561623feca3080eea09471a2b23b6412a Mon Sep 17 00:00:00 2001 From: Giovanni Lo Vecchio Date: Wed, 11 Oct 2023 10:34:24 +0200 Subject: [PATCH 4/4] Fix format --- .../vms_within_harvester_cannot_access_harvester_vip.md | 1 - 1 file changed, 1 deletion(-) diff --git a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md index 30e4a033..825d9441 100644 --- a/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md +++ b/kb/2023-10-11/vms_within_harvester_cannot_access_harvester_vip.md @@ -28,7 +28,6 @@ To update Harvester configurations, you must first update the runtime value in t Refer [here](https://docs.harvesterhci.io/v1.2/install/update-harvester-configuration/#configuration-persistence). - In this specific case, the steps to follow are: 1. Set the variable `net.bridge.bridge-nf-call-iptables` to zero directly on the nodes.