On Fri, Oct 1, 2021 at 4:35 AM Hibbert, Stephen <[email protected]> wrote:
>
> Yes, you're spot on!
>
> Running the script reviled the following. The issue I'm having now is finding
> the correct way of including the configs, I tried setting them in my
> myKernelConfigs.cfg and IMAGE_INSTALL_append = "docker-moby-contrib
> kernel-module-nf-nat kernel-module-xt-conntrack kernel-module-xt-addrtype"
>
In the K3S recipe, we actually have finer grained RRECOMMENDS than the
docker recipes (due to the way k3s was developed and integrated).
In K3S, I'm currently tracking:
RRECOMMENDS:${PN} = "\
kernel-module-xt-addrtype \
kernel-module-xt-nat \
kernel-module-xt-multiport \
kernel-module-xt-conntrack \
kernel-module-xt-comment \
kernel-module-xt-mark \
kernel-module-xt-connmark \
kernel-module-vxlan \
kernel-module-xt-masquerade \
"
So you could try that list, or do what I normally recommend .. use the
meta package "kernel-modules" and get everything that was built. Since
if you are using a linux-yocto variant, you'll already be getting
fragments to build the right modules as part of the kernel build.
I do have a new set of tested planned for the fall that do barebones
testing to ensure that we've fully listed the rdepends/rrcommends for
many of the recipes in meta-virt.
But for now, I'd recommend that larger package, or you can do what I
did for k3s. Build a package-feed enabled image, start docker, look at
the error messages, install the required module, and then repeat to
get the minimum list (if a kernel module wasn't being built at all,
you may need to do some rebuilding in the middle).
Bruce
> But running the config script still shows the output below:
>
> root@generic-arm64:/usr/share/docker# ./check-config.sh
> info: reading kernel config from /proc/config.gz ...
> Generally Necessary:
> - cgroup hierarchy: properly mounted [/sys/fs/cgroup]
> - CONFIG_NAMESPACES: enabled
> - CONFIG_NET_NS: enabled
> - CONFIG_PID_NS: enabled
> - CONFIG_IPC_NS: enabled
> - CONFIG_UTS_NS: enabled
> - CONFIG_CGROUPS: enabled
> - CONFIG_CGROUP_CPUACCT: enabled
> - CONFIG_CGROUP_DEVICE: enabled
> - CONFIG_CGROUP_FREEZER: missing
> - CONFIG_CGROUP_SCHED: enabled
> - CONFIG_CPUSETS: enabled
> - CONFIG_MEMCG: enabled
> - CONFIG_KEYS: enabled
> - CONFIG_VETH: enabled
> - CONFIG_BRIDGE: enabled (as module)
> - CONFIG_BRIDGE_NETFILTER: missing
> - CONFIG_NF_NAT_IPV4: missing
> - CONFIG_IP_NF_FILTER: enabled (as module)
> - CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
> - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
> - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
> - CONFIG_NETFILTER_XT_MATCH_IPVS: missing
> - CONFIG_IP_NF_NAT: enabled (as module)
> - CONFIG_NF_NAT: enabled (as module)
> - CONFIG_NF_NAT_NEEDED: missing
> - CONFIG_POSIX_MQUEUE: enabled
>
> On 30/09/2021, 17:48, "Bruce Ashfield" <[email protected]> wrote:
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> On Thu, Sep 30, 2021 at 11:40 AM Hibbert, Stephen <[email protected]>
> wrote:
> >
> > Thanks for the reply Bruce __ Let me know if these details help?
> >
> > root@generic-arm64:~# uname -r
> > 5.10.46-yocto-standard
> >
> > Only setting these two kernel configs at the moment:
> > CONFIG_ENA_ETHERNET=y
> > CONFIG_BLK_DEV_NVME=y
>
> It'll be the iptables and cgroups options that are causing issues.
>
> The standard layers and kernel are extensively tested with meta-virt,
> so there really shouldn't be something missing.
>
> You can also install the docker-contrib package to your image, and run
> the check-config.sh script to see if it reports any issues.
>
> Bruce
>
> >
> > And these are the layers, running harknott...
> > drwxrwxr-x 12 ubuntu ubuntu 4096 Sep 29 14:02 meta-arm/
> > drwxrwxr-x 8 ubuntu ubuntu 4096 Sep 29 14:00 meta-ewaol/
> > drwxrwxr-x 11 ubuntu ubuntu 4096 Sep 29 15:09 meta-openembedded/
> > drwxrwxr-x 24 ubuntu ubuntu 4096 Sep 29 14:02 meta-security/
> > drwxrwxr-x 17 ubuntu ubuntu 4096 Sep 29 14:02 meta-virtualization/
> >
> >
> > On 30/09/2021, 16:32, "Bruce Ashfield" <[email protected]> wrote:
> >
> > CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you can confirm the sender and
> know the content is safe.
> >
> >
> >
> > On Thu, Sep 30, 2021 at 10:41 AM Stephen via lists.yoctoproject.org
> > <[email protected]> wrote:
> > >
> > > Hello all!
> > >
> > > The current meta-virtualisation docker is incompatible with the
> legacy v1.8.7 iptables.
> > >
> > > Docker version 20.10.3, build 41b3ea7e47
> http://layers.openembedded.org/layerindex/recipe/176817/
> > >
> > > iptables v1.8.7 (legacy)
> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-extended/iptables/
> > >
> > > level=info time=2021-09-30T08:58:56Z msg="TaskHandler: Sending
> task change: TaskChange:
> [arn:aws:ecs:eu-west-1:116589935960:task/GravitonID-ecs-ECSGra
> viton2DA545608-tzdG3bupgLcn/ef8d9ea15a434c298a9623551d39c6ab -> STOPPED,
> Known Sent: NONE, PullStartedAt: 2021-09-30 08:58:55.809460935 +0000 UTC m=+5
> 2315.765706001, PullStoppedAt: 2021-09-30 08:58:55.919351717 +0000 UTC
> m=+52315.875596782, ExecutionStoppedAt: 2021-09-30 08:58:56.159356552 +0000
> UTC m=+52316.115601617, container change:
> arn:aws:ecs:eu-west-1:116589935960:task/GravitonID-ecs-ECSGraviton2DA545608-tzdG3bupgLcn/ef8d9ea15a434c298a9623
> 551d39c6ab web -> STOPPED, Reason CannotStartContainerError: Error response
> from daemon: driver failed programming external connectivity on endpoint e
> cs-GravitonIDecsTaskDefA2CA7A76-4-web-9eb9aba094eccadb1300
> (db13dc1931d5be70284cac4de6899246035db8e5f9e0cf9ee3773000801a70b0): (iptables
> failed: ipta bles --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT
> --to-destination 172.17.0.2:3000 ! -i docker0: iptables v1.8.7 (legacy):
> unknown optio n \"--to-destination\"\nTry `iptables -h' or 'iptables --help'
> for more information.\n (exit status 2)), Known Sent: NONE] sent: false"
> module=task_ha ndler_types.go
> > >
> > > Possibly linked to this issue and nftables support?
> https://github.com/moby/moby/issues/38099
> > >
> > > Any ideas for workarounds would be very much appreciated!
> >
> > It's your kernel configuration, coupled with the iptables modules
> > available .. but most often, it is a missing kernel module.
> >
> > So without knowing exactly what kernel and hardware you are running,
> > it is hard to say more.
> >
> > Bruce
> >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness
> await
> > thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
> >
> >
> >
> > Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855
> Luxembourg, R.C.S. Luxembourg B186284
> >
> > Amazon Web Services EMEA Sarl, UK Branch, 1 Principal Place, Worship
> Street, London, EC2A 2FA, United Kingdom, registered in England and Wales, UK
> Establishment No. BR019315
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
>
>
>
> Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg,
> R.C.S. Luxembourg B186284
>
> Amazon Web Services EMEA Sarl, UK Branch, 1 Principal Place, Worship Street,
> London, EC2A 2FA, United Kingdom, registered in England and Wales, UK
> Establishment No. BR019315
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6811):
https://lists.yoctoproject.org/g/meta-virtualization/message/6811
Mute This Topic: https://lists.yoctoproject.org/mt/85975179/21656
Mute
#meta-virtualization:https://lists.yoctoproject.org/g/meta-virtualization/mutehashtag/meta-virtualization
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
