diff --git a/pkg/agent/run.go b/pkg/agent/run.go index aaf24976c7..3a53952712 100644 --- a/pkg/agent/run.go +++ b/pkg/agent/run.go @@ -52,10 +52,6 @@ func run(ctx context.Context, cfg cmds.Agent, lb *loadbalancer.LoadBalancer) err } } - if err := syssetup.Configure(); err != nil { - return err - } - if err := tunnel.Setup(ctx, nodeConfig, lb.Update); err != nil { return err } @@ -90,6 +86,7 @@ func Run(ctx context.Context, cfg cmds.Agent) error { if err := validate(); err != nil { return err } + syssetup.Configure() if cfg.Rootless && !cfg.RootlessAlreadyUnshared { if err := rootless.Rootless(cfg.DataDir); err != nil { diff --git a/pkg/agent/syssetup/setup.go b/pkg/agent/syssetup/setup.go index 413b7c878f..b66593f70c 100644 --- a/pkg/agent/syssetup/setup.go +++ b/pkg/agent/syssetup/setup.go @@ -8,11 +8,6 @@ import ( "github.com/sirupsen/logrus" ) -var ( - callIPTablesFile = "/proc/sys/net/bridge/bridge-nf-call-iptables" - forward = "/proc/sys/net/ipv4/ip_forward" -) - func loadKernelModule(moduleName string) { if _, err := os.Stat("/sys/module/" + moduleName); err == nil { logrus.Infof("module %s was already loaded", moduleName) @@ -24,20 +19,19 @@ func loadKernelModule(moduleName string) { } } -func Configure() error { - loadKernelModule("br_netfilter") - - if err := ioutil.WriteFile(callIPTablesFile, []byte("1"), 0640); err != nil { - logrus.Warnf("failed to write value 1 at %s: %v", callIPTablesFile, err) - return nil - } - if err := ioutil.WriteFile(forward, []byte("1"), 0640); err != nil { - logrus.Warnf("failed to write value 1 at %s: %v", forward, err) - return nil +func enableSystemControl(file string) { + if err := ioutil.WriteFile(file, []byte("1"), 0640); err != nil { + logrus.Warnf("failed to write value 1 at %s: %v", file, err) } +} +func Configure() { loadKernelModule("overlay") loadKernelModule("nf_conntrack") + loadKernelModule("br_netfilter") - return nil + enableSystemControl("/proc/sys/net/ipv4/ip_forward") + enableSystemControl("/proc/sys/net/ipv6/conf/all/forwarding") + enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-iptables") + enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-ip6tables") } diff --git a/scripts/download b/scripts/download index 1839738b2d..11070788ed 100755 --- a/scripts/download +++ b/scripts/download @@ -12,6 +12,9 @@ mkdir -p ${CHARTS_DIR} curl --compressed -sfL https://github.com/rancher/k3s-root/releases/download/${ROOT_VERSION}/k3s-root-${ARCH}.tar | tar xf - ln -sf pigz bin/unpigz +for target in iptables iptables-save iptables-restore ip6tables ip6tables-save ip6tables-restore; do + ln -sf xtables-legacy-multi bin/$target +done mkdir -p bin/aux && rm bin/mount && ln -sf ../busybox bin/aux/mount TRAEFIK_FILE=traefik-${TRAEFIK_VERSION}.tgz