fix(cluster): add Jetson Linux platform compatibility#568
Open
fix(cluster): add Jetson Linux platform compatibility#568
Conversation
Three issues prevent k3s from starting on kernels where the nf_tables xt extension bridge (nft_compat) is unavailable: 1. kube-router's network policy controller uses the xt_comment iptables extension and panics on startup with "Extension comment revision 0 not supported, missing kernel module?" Pass --disable-network-policy to k3s so the controller never runs. The NSSH1 HMAC handshake remains the primary sandbox SSH isolation boundary, so this does not weaken the effective security posture. 2. flannel and kube-proxy also fail to insert rules via the nf_tables iptables backend on the same kernels. Add an xt_comment probe at cluster-entrypoint startup; if the probe fails, switch to iptables-legacy via update-alternatives before any other netfilter work so that flannel, kube-proxy, and the DNS proxy all use a consistent backend. 3. The br_netfilter kernel module must be loaded on the host for iptables rules to apply to pod bridge traffic. Without it, ClusterIP DNAT (including kube-dns at 10.43.0.10) is never applied to pod packets, causing silent DNS timeouts deep in the health-check loop. Add an early check that fails fast with an actionable error message if the module is not present, instructing the user to run `sudo modprobe br_netfilter` on the host. Signed-off-by: Evan Lezar <elezar@nvidia.com>
elezar
force-pushed
the
fix/jetson-platform-compat
branch
from
f94333b to
fbf22fb
Compare
Member
Author
|
cc @johnnynunez |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add Jetson Linux platform compatibility for OpenShell clusters. Two root-cause issues affect Jetson devices: the nf_tables iptables backend lacks the
nft_compatbridge needed for xt extension modules, and thebr_netfilterkernel module is not loaded by default, breaking pod-to-service DNS resolution.Inspired by community testing on Jetson AGX Orin, Orin NX, Orin Super, and Nano reported in the NVIDIA Developer Forums.
Related Issue
Closes #467
Closes #407
Changes
cluster-entrypoint.sh: On startup, probe whether xt extension modules are usable via the current iptables backend. If not, switch toiptables-legacyviaupdate-alternatives. Also check forbr_netfilterand emit an actionable warning if it is absent (pods cannot reach ClusterIP services / kube-dns without it). Disable the k3s network policy controller when falling back to legacy iptables, since kube-router panics without xt_comment.netns.rs: Updatefind_iptables()to returnStringinstead of&'static strso it can return a dynamically constructediptables-legacypath. Addxt_extensions_unavailable()probe that mirrors the shell probe, allowing the sandbox egress-policy engine to fall back to iptables-legacy on affected kernels.debug-openshell-cluster/SKILL.md: Document thebr_netfilterwarning and the pod-to-service connectivity failure pattern, including remediation steps.Testing
mise run pre-commitpassesChecklist