I am having a heck of a time getting kairos+k3s to work

[dkowis]

Thanks in advance!

Hi! I'm havin some troubles getting a kairos OS' k3s started. For some reason the coredns, metrics-server, and local-path-provisioner pods are in CrashLoopBackoff.

I'm using pretty much a basic simple install writing a few files, and dropping the k3s manifests to set up metallb.

I have configured k3s to pull from my local harbor instance, and I see that it's pulling containers from there, so it's not an image pull problem. I also see the pull success events.

I'm not super familiar with k3s in general, but I have set it up using k3os (which is pretty old now) and so I was gonna do the same with kairos.

What can I do to try to debug this?

I installed using kairos-ubuntu-22.04-standard-amd64-generic-v2.4.2-k3sv1.28.2_k3s1.iso on a proxmox vm, so that I can experiment with things quickly. I then used the qr code and kairosctl register pointed to my config(pasted below). It's also interesting that it didn't honor the --poweroff that I specified on the command line to kairosctl

logs from the coredns pod:

❯ kubectl logs -n kube-system coredns-6799fbcd5-5nk7r                                                                                                                                                                                           (base)
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[INFO] plugin/kubernetes: waiting for Kubernetes API before starting server
[WARNING] plugin/kubernetes: starting server with unsynced Kubernetes API
.:53
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
[INFO] plugin/reload: Running configuration SHA512 = b941b080e5322f6519009bb49349462c7ddb6317425b0f6a83e5451175b720703949e3f3b454a24e77f3ffe57fd5e9c6130e528a5a1dd00d9000e4afd6c1108d
CoreDNS-1.10.1
linux/amd64, go1.20, 055b2c3
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:44644->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:32977->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:57217->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:33137->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:46845->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:40951->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:35906->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:43639->10.10.220.229:53: i/o timeout
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:36728->10.10.220.229:53: i/o timeout
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
[ERROR] plugin/errors: 2 7930049778188426056.2141107929847148840. HINFO: read udp 10.42.0.4:52610->10.10.220.229:53: i/o timeout
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
[WARNING] plugin/kubernetes: Kubernetes API connection failure: Get "https://10.43.0.1:443/version": dial tcp 10.43.0.1:443: i/o timeout
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
[INFO] SIGTERM: Shutting down servers then terminating

I assume part of this is an inability to talk to the DNS server, which is dnsdist. Everything else on my network can, and there isn't an ACL on there preventing it from talking to a 10.42.x.x subnet, so this doesn't make a whole lot of sense.

Logs from the local-path-provisioner:

❯ kubectl logs -n kube-system local-path-provisioner-84db5d44d9-gjhw6                                                                                                                                                                           (base)
time="2023-11-30T02:11:16Z" level=fatal msg="Error starting daemon: invalid empty flag helper-pod-file and it also does not exist at ConfigMap kube-system/local-path-config with err: Get \"https://10.43.0.1:443/api/v1/namespaces/kube-system/configmaps/local-path-config\": dial tcp 10.43.0.1:443: i/o timeout"

My testing provisioning yaml:

#cloud-config
# For some reason, none of this is being applied right now, maybe the K3s bits, but not the stages part

# Additional system users
users:
- name: "kairos"
  passwd: "kairos"
  lock_passwd: true
  groups: 
  - "admin"
  ssh_authorized_keys:
  - "ssh-ed25519 my ssh key went here"

debug: true

# I think I want this to be a single node k3s cluster
# and then maybe I can use flux to deploy the actual services...
k3s:
  enabled: true
  args:
  - --disable=traefik,servicelb
#/var/lib/rancher/k3s/storage
# I think this should set up my networking to provide me 3 IP addresses always?
stages:
  boot:
  - name: "Setup hostname"
    hostname: "metal-{{ trunc 4 .MachineID }}"
  - name: "Ensure local folder"
    directories:
    - path: "/var/lib/rancher/k3s/storage"
      permissions: 0777
      owner: 0
      group: 0
  initramfs:
    - name: "Set up My System Files!"
      files:
      - path: /etc/systemd/resolved.conf
        permissions: 0644
        content: |
          [Resolve]
          DNS=10.10.220.229
      - path: /etc/systemd/network/01-mine.network
        permissions: 0644
        content: |
          [Match]
          Type=ether

          [Network]
          Gateway=10.10.220.254
          #DNS=10.10.220.229
          Address=10.10.220.117/24
          # Does it break horribly when I use more than one IP address?
          #Address=10.10.220.118/24
          #Address=10.10.220.122/24
      - path: /etc/ssl/certs/ca.crt
        permissions: 0644
        content: |
          -----BEGIN CERTIFICATE-----
          my root ca public cert is here
          -----END CERTIFICATE-----
      - path: /etc/rancher/k3s/registries.yaml
        permissions: 0644
        content: |
          mirrors:
            docker.io:
              endpoint:
                - "https://registry.light.kow.is/v2/docker-hub"
            registry.light.kow.is:
              endpoint:
                - "https://registry.light.kow.is"
          configs:
            "registry.light.kow.is":
              auth:
                username: "readonlyuser"
                password: "hahathisiswherethepasswordwas"
              tls:
                ca_file: /etc/ssl/certs/ca.crt

# Additional manifests that are applied by k3s on boot
write_files:
- path: /var/lib/rancher/k3s/server/manifests/metallb.yaml
  permissions: "0644"
  content: |
        apiVersion: v1
        kind: Namespace
        metadata:
          name: metallb-system
        ---
        apiVersion: helm.cattle.io/v1
        kind: HelmChart
        metadata:
          name: metallb
          namespace: metallb-system
        spec:
          chart: https://github.com/metallb/metallb/releases/download/metallb-chart-0.13.7/metallb-0.13.7.tgz        
- path: /var/lib/rancher/k3s/server/manifests/addresspool.yaml
  permissions: "0644"
  content: |
        apiVersion: metallb.io/v1beta1
        kind: IPAddressPool
        metadata:
          name: default
          namespace: metallb-system
        spec:
          addresses:
          - 10.10.220.117
          - 10.10.220.118
          - 10.10.220.122
        ---
        apiVersion: metallb.io/v1beta1
        kind: L2Advertisement
        metadata:
          name: default
          namespace: metallb-system
        spec:
          ipAddressPools:
          - default        

[dkowis]

Okay, I figured this out with some help on the matrix kairos channel:

turns out my network config was being WAY too matchy, and was eating up interfaces and ruining everything.

This works for the network configuration. I'm able to add 3 interfaces, and everything is fine. I did have to match specifically on name.

      - path: /etc/systemd/network/01-mine.network
        permissions: 0644
        content: |
          [Match]
          Name=ens18

          [Network]
          Gateway=10.10.220.254
          #DNS=10.10.220.229
          Address=10.10.220.117/24
          Address=10.10.220.118/24
          Address=10.10.220.122/24