Antrea no longer works with Kind after upgrading to Docker Desktop 4.27.0 #5939
Assignees
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
|
Hi @antoninbas, Docker Desktop maintainer typing here! We're so sorry for breaking your workflow. We've indeed recently made big changes to Docker Desktop's kernel config in order to make it smaller/faster. Sorry that this has a negative impact on you.
|
|
@dgageot Thanks for the quick reply. |
|
Small update: the conntrack kernel configuration should be fixed in 4.27.2. When that is released (later this month?), we can implement "auto-detection of built-in kernel modules" in the Antrea Agent (for openvswitch) and validate that we can run with Docker Desktop 4.27.2. |
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Feb 10, 2024
If a module is built-in, trying to load the module with modprobe inside a container may fail (insted of just being a no-op). This will cause Antrea initialization to fail unless agent.dontLoadKernelModules is explicitly set to true. Now that the Docker Desktop LinuxKit VM comes with openvswitch built-in (starting with 4.27.0), trying to install "default" Antrea (i.e., without setting agent.dontLoadKernelModules) in a Kind cluster running with Docker Desktop on macOS will fail. To make sure that users will not run into this issue, we add logic to the install_cni script to skip the modprobe call if the module is built-in. After this agent, there should be very limited use cases for the agent.dontLoadKernelModules parameter, but there is no harm in keeping in case it is needed in the future or for some corner cases. I also realized that the "--skip-kmod" flag for the start_ovs script did not provide any value. Either the openvswitch module needs to be explicitly loaded, in which case the install_cni script will take care of it anyway, or it should not be loaded at all (e.g., because it is built-in). Additionally, because we do not mount the host's /lib/modules to the antrea-ovs container, it is not possible to load any kernel module from the container. Fixes antrea-io#5939 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
that referenced
this issue
Feb 21, 2024
If a module is built-in, trying to load the module with modprobe inside a container may fail (insted of just being a no-op). This will cause Antrea initialization to fail unless agent.dontLoadKernelModules is explicitly set to true. Now that the Docker Desktop LinuxKit VM comes with openvswitch built-in (starting with 4.27.0), trying to install "default" Antrea (i.e., without setting agent.dontLoadKernelModules) in a Kind cluster running with Docker Desktop on macOS will fail. To make sure that users will not run into this issue, we add logic to the install_cni script to skip the modprobe call if the module is built-in. After this change, there should be very limited use cases for the agent.dontLoadKernelModules parameter, but there is no harm in keeping in case it is needed in the future or for some corner cases. I also realized that the "--skip-kmod" flag for the start_ovs script did not provide any value. Either the openvswitch module needs to be explicitly loaded, in which case the install_cni script will take care of it anyway, or it should not be loaded at all (e.g., because it is built-in). Additionally, because we do not mount the host's /lib/modules to the antrea-ovs container, it is not possible to load any kernel module from the container. Fixes #5939 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Feb 21, 2024
If a module is built-in, trying to load the module with modprobe inside a container may fail (insted of just being a no-op). This will cause Antrea initialization to fail unless agent.dontLoadKernelModules is explicitly set to true. Now that the Docker Desktop LinuxKit VM comes with openvswitch built-in (starting with 4.27.0), trying to install "default" Antrea (i.e., without setting agent.dontLoadKernelModules) in a Kind cluster running with Docker Desktop on macOS will fail. To make sure that users will not run into this issue, we add logic to the install_cni script to skip the modprobe call if the module is built-in. After this change, there should be very limited use cases for the agent.dontLoadKernelModules parameter, but there is no harm in keeping in case it is needed in the future or for some corner cases. I also realized that the "--skip-kmod" flag for the start_ovs script did not provide any value. Either the openvswitch module needs to be explicitly loaded, in which case the install_cni script will take care of it anyway, or it should not be loaded at all (e.g., because it is built-in). Additionally, because we do not mount the host's /lib/modules to the antrea-ovs container, it is not possible to load any kernel module from the container. Fixes antrea-io#5939 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
that referenced
this issue
Feb 22, 2024
If a module is built-in, trying to load the module with modprobe inside a container may fail (insted of just being a no-op). This will cause Antrea initialization to fail unless agent.dontLoadKernelModules is explicitly set to true. Now that the Docker Desktop LinuxKit VM comes with openvswitch built-in (starting with 4.27.0), trying to install "default" Antrea (i.e., without setting agent.dontLoadKernelModules) in a Kind cluster running with Docker Desktop on macOS will fail. To make sure that users will not run into this issue, we add logic to the install_cni script to skip the modprobe call if the module is built-in. After this change, there should be very limited use cases for the agent.dontLoadKernelModules parameter, but there is no harm in keeping in case it is needed in the future or for some corner cases. I also realized that the "--skip-kmod" flag for the start_ovs script did not provide any value. Either the openvswitch module needs to be explicitly loaded, in which case the install_cni script will take care of it anyway, or it should not be loaded at all (e.g., because it is built-in). Additionally, because we do not mount the host's /lib/modules to the antrea-ovs container, it is not possible to load any kernel module from the container. Fixes #5939 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
After upgrading to Docker Desktop 4.27.0 (the latest version as the time of writing this), Antrea will no longer install successfully on a Kind cluster. The
install-cnicontainer will fail with:To Reproduce
Download and install Docker Desktop 4.27.0: https://docs.docker.com/desktop/release-notes/#4270
Install Antrea with
helm install -n kube-system antrea antrea/antreaLook at Pods with
kubectl get pods -AExpected
Antrea should install successfully
Actual behavior
Antrea Agent Pods cannot be created.
Versions:
Tested with Antrea v1.15.0 and v1.14.2, but this is independent of the Antrea version (specific to the Docker Desktop version).
Additional context
There were some major changes to Docker Desktop (and more precisely the LinuxKit VM) in 4.26 and 4.27.
The 2 breaking changes in our case were introduced in 4.27.0:
agent.dontLoadKernelModules=true, but we should probably "fix" our default behavior. The default behavior should probably be to check ifopenvswitchis "builtin" (by looking at the contents of/lib/modules/$(uname -r)/modules.builtin), and if it is, skip running anymodprobecommand.The text was updated successfully, but these errors were encountered: