Volker Raschek's questions

我已经安装了 RockyLinux 8.5 并试图通过 cifs 挂载一个目录。我收到以下错误消息：

# mount -t cifs -o user=<remarked>,domain=<remarked>,password=<remarked> //<remarked>/backups /mnt/backups
mount error: cifs filesystem not supported by the system 
mount error(19): No such device 
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

RPM 软件包cifs-utils和samba-utils都已安装，但似乎内核无法找到该cifs模块，因为无法加载它：

# find / -name "cifs"
/usr/lib/modules/4.18.0-348.el8.0.2.x86_64/kernel/fs/cifs
# lsmod | grep cifs
# modprobe cifs
modprobe: FATAL: Module cifs not found in directory /lib/modules/4.18.0-348.el8.0.2.x86_64

有谁知道为什么 RockyLinux 无法加载cifs模块？这可能是安装不工作的问题。

这里还有我的dmesg 日志。我找不到任何关于 cifs 的信息。

我已经安装了v1.23.0带有 Arch Linux 作为发行版的 kubernetes。集群由一个主节点和一个节点组成。Booth 系统是基于 KVM 的虚拟机。

当 Pod 想要进行 DNS 查询时，当服务将请求转发到在另一个 kubernetes 节点上运行的 coredns 的 Pod 实例时，它会超时。

所以我怀疑网络提供商工作不正常或某些设置（内核模块、sysctl 等）未设置，因为当请求转发到本地运行的 coredns pod 实例时，客户端会收到响应。这是我的调试步骤：

1. 在开始调试之前，我通过添加log到 coredns 的 configmap 来提高 coredns 的 loglevel。

# kubectl get -n kube-system configmaps coredns -o yaml
apiVersion: v1
data:
  Corefile: |
    .:53 {
        log
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
           max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }

2. 我将我的网络容器部署为调试环境，使用诸如 等网络工具dig来nslookup测试不同的 coredns 实例。

kubectl apply -f https://raw.githubusercontent.com/volker-raschek/network-tools/master/network-tools.yml

3. coredns 的以下 Pod 和服务可用：

kubectl get pod,service -n kube-system -l k8s-app=kube-dns -o wide
NAME                          READY   STATUS    RESTARTS   AGE   IP          NODE                  NOMINATED NODE   READINESS GATES
pod/coredns-64897985d-cgxmv   1/1     Running   0          24h   10.85.0.4   archlinux-x86-64-000  <none>           <none>
pod/coredns-64897985d-l9ftl   1/1     Running   0          24h   10.85.0.3   archlinux-x86-64-001  <none>           <none>

NAME               TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE   SELECTOR
service/kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   24h   k8s-app=kube-dns

4. 在我的网络 pod 中执行 shell 并尝试google.com通过coredns服务查询 IP 地址。如何识别命令需要不同的时间长度。不幸的是，我无法通过服务重现超时错误：

# kubectl exec  network-tools -- time dig A google.com @10.96.0.10 +short
142.250.185.238
real    0m 5.02s
user    0m 0.02s
sys 0m 0.00s
# kubectl exec  network-tools -- time dig A google.com @10.96.0.10 +short
142.250.185.238
real    0m 0.03s
user    0m 0.01s
sys 0m 0.00s
# kubectl exec  network-tools -- time dig A google.com @10.96.0.10 +short
142.250.185.238
real    0m 10.03s
user    0m 0.01s
sys 0m 0.01s

5. 现在我将查询限制为不同的 coredns pod。请注意，coredns-64897985d-cgxmv具有 IP的 pod10.85.0.4正在不同的节点上运行。

吊舱/coredns-64897985d-l9ftl / 10.85.0.3

kubectl exec  network-tools -- time dig A google.com @10.85.0.3 +short
142.251.36.206
real    0m 0.09s
user    0m 0.00s
sys 0m 0.01s

吊舱/coredns-64897985d-cgxmv / 10.85.0.4

coredns这是显式使用另一个节点的 pod时的超时错误。

# kubectl exec  network-tools -- time dig A google.com @10.85.0.4 +short

; <<>> DiG 9.16.20 <<>> A google.com @10.85.0.4 +short
;; global options: +cmd
;; connection timed out; no servers could be reached

Command exited with non-zero status 9
real    0m 15.02s
user    0m 0.02s
sys 0m 0.00s
command terminated with exit code 9

6. The following logs were written by the coredns pods:

pod/coredns-64897985d-l9ftl / 10.85.0.3

# kubectl logs -n kube-system coredns-64897985d-l9ftl 
.:53
[INFO] plugin/reload: Running configuration MD5 = db32ca3650231d74073ff4cf814959a7
CoreDNS-1.8.6
linux/amd64, go1.17.1, 13a9191
[INFO] Reloading
[INFO] plugin/health: Going into lameduck mode for 5s
[INFO] plugin/reload: Running configuration MD5 = 3d3f6363f05ccd60e0f885f0eca6c5ff
[INFO] Reloading complete
[INFO] 127.0.0.1:54962 - 9983 "HINFO IN 4683476401105705616.5032820535498752139. udp 57 false 512" NXDOMAIN qr,rd,ra 132 0.058383302s
[INFO] 10.85.0.1:24999 - 26748 "A IN google.com. udp 51 false 4096" NOERROR qr,rd,ra 1549 0.070006969s
[INFO] 10.85.0.1:6142 - 9467 "A IN google.com. udp 51 false 4096" NOERROR qr,aa,rd,ra 1549 0.000959536s
[INFO] 10.85.0.1:2544 - 20425 "A IN google.com. udp 51 false 4096" NOERROR qr,aa,rd,ra 1549 0.00065977s
[INFO] 10.85.0.1:26782 - 372 "A IN google.com. udp 51 false 4096" NOERROR qr,aa,rd,ra 1549 0.001292768s
[INFO] 10.85.0.1:62687 - 27302 "A IN google.com. udp 51 false 4096" 
...

pod/coredns-64897985d-cgxmv / 10.85.0.4

# kubectl logs -n kube-system coredns-64897985d-cgxmv
.:53
[INFO] plugin/reload: Running configuration MD5 = db32ca3650231d74073ff4cf814959a7
CoreDNS-1.8.6
linux/amd64, go1.17.1, 13a9191
[INFO] Reloading
[INFO] plugin/health: Going into lameduck mode for 5s
[INFO] plugin/reload: Running configuration MD5 = 3d3f6363f05ccd60e0f885f0eca6c5ff
[INFO] Reloading complete

To narrow down the problem, I reinstalled my cluster via ansible and installed calico instead of flannel via the command below. The same problem exists there.

$ helm install calico projectcalico/tigera-operator --version v3.21.3

I used the installation guide of kubeadm to initialize the cluster. I executed the following kubeadmin init command to initialize the cluster:

$ kubeadm init \
  --apiserver-advertise-address=192.168.179.101 \
  --apiserver-cert-extra-sans=api.example.com \
  --control-plane-endpoint=192.168.179.100 \
  --cri-socket=unix:///var/run/crio/crio.sock \
  --pod-network-cidr=10.244.0.0/16 \
  --upload-certs

The kernel module br_netfilter and the sysctl properties are defined, but the problem still exists. I am at the end of my solution approaches and need advice from experts here. Below is a list of my kernel modules, sysctl settings and other information.

I hope someone can help me.

kernel information

$ uname -a
Linux archlinux-x86-64-000 5.10.90-1-lts #1 SMP Wed, 05 Jan 2022 13:07:40 +0000 x86_64 GNU/Linux

kernel modules

$ lsmod | sort
ac97_bus               16384  1 snd_soc_core
aesni_intel           372736  0
agpgart                53248  4 intel_agp,intel_gtt,ttm,drm
atkbd                  36864  0
bpf_preload            16384  0
bridge                274432  1 br_netfilter
br_netfilter           32768  0
cec                    61440  1 drm_kms_helper
cfg80211              983040  0
crc16                  16384  1 ext4
crc32c_generic         16384  0
crc32c_intel           24576  3
crc32_pclmul           16384  0
crct10dif_pclmul       16384  1
cryptd                 24576  2 crypto_simd,ghash_clmulni_intel
crypto_simd            16384  1 aesni_intel
drm                   577536  5 drm_kms_helper,qxl,drm_ttm_helper,ttm
drm_kms_helper        278528  3 qxl
drm_ttm_helper         16384  1 qxl
ext4                  933888  1
failover               16384  1 net_failover
fat                    86016  1 vfat
fb_sys_fops            16384  1 drm_kms_helper
fuse                  167936  1
ghash_clmulni_intel    16384  0
glue_helper            16384  1 aesni_intel
i2c_i801               36864  0
i2c_smbus              20480  1 i2c_i801
i8042                  36864  0
intel_agp              24576  0
intel_gtt              24576  1 intel_agp
intel_pmc_bxt          16384  1 iTCO_wdt
intel_rapl_common      28672  1 intel_rapl_msr
intel_rapl_msr         20480  0
ip6_udp_tunnel         16384  1 vxlan
ip_set                 57344  0
ip_tables              32768  0
ipt_REJECT             16384  0
ip_vs                 184320  6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
ip_vs_rr               16384  0
ip_vs_sh               16384  0
ip_vs_wrr              16384  0
irqbypass              16384  1 kvm
iTCO_vendor_support    16384  1 iTCO_wdt
iTCO_wdt               16384  0
jbd2                  151552  1 ext4
joydev                 28672  0
kvm                   933888  1 kvm_intel
kvm_intel             331776  0
ledtrig_audio          16384  1 snd_hda_codec_generic
libcrc32c              16384  4 nf_conntrack,nf_nat,nf_tables,ip_vs
libps2                 20480  2 atkbd,psmouse
llc                    16384  2 bridge,stp
lpc_ich                28672  0
mac_hid                16384  0
mbcache                16384  1 ext4
Module                  Size  Used by
mousedev               24576  0
net_failover           24576  1 virtio_net
nf_conntrack          172032  6 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE,ip_vs
nf_conntrack_netlink    57344  0
nf_defrag_ipv4         16384  1 nf_conntrack
nf_defrag_ipv6         24576  2 nf_conntrack,ip_vs
nf_nat                 57344  3 xt_nat,nft_chain_nat,xt_MASQUERADE
nfnetlink              20480  4 nft_compat,nf_conntrack_netlink,nf_tables,ip_set
nf_reject_ipv4         16384  1 ipt_REJECT
nf_tables             249856  183 nft_compat,nft_counter,nft_chain_nat
nft_chain_nat          16384  7
nft_compat             20480  122
nft_counter            16384  84
nls_iso8859_1          16384  0
overlay               147456  18
pcspkr                 16384  0
psmouse               184320  0
qemu_fw_cfg            20480  0
qxl                    73728  0
rapl                   16384  0
rfkill                 28672  2 cfg80211
rng_core               16384  1 virtio_rng
serio                  28672  6 serio_raw,atkbd,psmouse,i8042
serio_raw              20480  0
snd                   114688  8 snd_hda_codec_generic,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_timer,snd_compress,snd_soc_core,snd_pcm
snd_compress           32768  1 snd_soc_core
snd_hda_codec         172032  2 snd_hda_codec_generic,snd_hda_intel
snd_hda_codec_generic    98304  1
snd_hda_core          110592  3 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec
snd_hda_intel          57344  0
snd_hwdep              16384  1 snd_hda_codec
snd_intel_dspcfg       28672  1 snd_hda_intel
snd_pcm               147456  7 snd_hda_intel,snd_hda_codec,soundwire_intel,snd_compress,snd_soc_core,snd_hda_core,snd_pcm_dmaengine
snd_pcm_dmaengine      16384  1 snd_soc_core
snd_soc_core          327680  1 soundwire_intel
snd_timer              49152  1 snd_pcm
soundcore              16384  1 snd
soundwire_bus          90112  3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
soundwire_cadence      36864  1 soundwire_intel
soundwire_generic_allocation    16384  1 soundwire_intel
soundwire_intel        45056  1 snd_intel_dspcfg
stp                    16384  1 bridge
syscopyarea            16384  1 drm_kms_helper
sysfillrect            16384  1 drm_kms_helper
sysimgblt              16384  1 drm_kms_helper
ttm                   114688  2 qxl,drm_ttm_helper
udp_tunnel             20480  1 vxlan
usbhid                 65536  0
veth                   32768  0
vfat                   24576  0
virtio_balloon         24576  0
virtio_blk             20480  2
virtio_console         40960  0
virtio_net             61440  0
virtio_pci             28672  0
virtio_rng             16384  0
vxlan                  77824  0
xhci_pci               20480  0
xhci_pci_renesas       20480  1 xhci_pci
x_tables               53248  11 xt_conntrack,xt_statistic,nft_compat,xt_tcpudp,xt_addrtype,xt_nat,xt_comment,ipt_REJECT,ip_tables,xt_MASQUERADE,xt_mark
xt_addrtype            16384  2
xt_comment             16384  64
xt_conntrack           16384  13
xt_mark                16384  12
xt_MASQUERADE          20480  6
xt_nat                 16384  7
xt_statistic           16384  3
xt_tcpudp              20480  15

sysctl

sysctl properties on pastbin. Exceeds the maximum number of characters for serverfault.

我在具有 qcow2 磁盘格式的 Ubuntu 16.04 KVM 上安装了 centos7。

要部署我的 centos 机器，我需要它以 vhdx 磁盘格式支持 Microsoft 的 Hyper-V。我使用 qemu-image 将其从 qcow2 文件格式转换为 vhdx。

qemu-img convert -O vhdx centos.qcow2 centos.vhdx

当我在 Microsoft 的 Hyper-V 中创建带有 centos.vhdx 磁盘文件的新一代 1 vm 时，出现类似错误

dracut-initqueue[220]: Warning dracut-initqueue timeout - starting timeout scripts

看我的引导程序：

我该如何解决这个问题？

我有一个 Debian Jessie 服务器，我想验证关于DNS SSHFP 记录的 SSH HostKey 。我只提供ed25519和rsa算法来连接服务器。我已将服务器 FQDN 伪装成 kronos.example.local。

我使用此命令为 ed25519 算法生成指纹

root@kronos:~# ssh-keygen -r kronos.example.local -f /etc/ssh/ssh_host_ed25519_key
kronos.example.local IN SSHFP 4 1 f6291b4afb2b18cb3042e9dc01bd15efca7f5d5e
kronos.example.local IN SSHFP 4 2 7b2e9286d0969618ccb88d954587ac82f2ad471c34d07d25d91f9905b86f152d

这个是 rsa 的

root@kronos:~# ssh-keygen -r kronos.example.local -f /etc/ssh/ssh_host_rsa_key
kronos.example.local IN SSHFP 1 1 365f966468f59ed889fb9d94c25f8f6cb858aa7a
kronos.example.local IN SSHFP 1 2 162f0117baae8380427698ba8800bdef36e150e6014f220b568d85445832d050

我用 dig 来检查我的客户端机器上的记录。

volker@vm23 ~ $ dig SSHFP kronos.example.local
;; ANSWER SECTION:
kronos.example.local.   600 IN  SSHFP   1 2 162F0117BAAE8380427698BA8800BDEF36E150E6014F220B568D8544 5832D050
kronos.example.local.   600 IN  SSHFP   4 2 7B2E9286D0969618CCB88D954587AC82F2AD471C34D07D25D91F9905 B86F152D
kronos.example.local.   600 IN  SSHFP   4 1 F6291B4AFB2B18CB3042E9DC01BD15EFCA7F5D5E
kronos.example.local.   600 IN  SSHFP   1 1 365F966468F59ED889FB9D94C25F8F6CB858AA7A

SSHFP 记录是正确的，我在我的 ssh 配置中添加了设置 StrictHostKeyChecking 和 VerifyHostKeyDNS 以验证关于 SSHFP 记录的 ssh 指纹。

Host                    kronos
Hostname                kronos.example.local
Port                    30
User                    root
Compression             yes        
IdentityFile            ~/.ssh/ssh.key      
PasswordAuthentication  no
PubkeyAuthentication    yes
RSAAuthentication       no
StrictHostKeyChecking   yes
VerifyHostKeyDNS        yes 

现在，当我想连接到服务器时，我收到一个错误，我的 ssh-client 因为指纹错误而无法建立连接？

volker@vm23 ~ $ ssh kronos
No ED25519 host key is known for [kronos.example.local]:30 and you have requested strict checking.
Host key verification failed.

为什么我得到这个错误，我不知道我做错了什么。

编辑：

当我刷新 known_hosts 文件并再次连接时，我会使用提供的指纹收到此消息。

The authenticity of host '[kronos.example.local]:30 ([192.168.2.100]:30)' can't be established.
ED25519 key fingerprint is SHA256:ey6ShtCWlhjMuI2VRYesgvKtRxw00H0l2R+ZBbhvFS0.

我有一个 Debian Jessie 服务器，我想验证服务器上关于 DNS SSHFP 记录的 ssh 密钥的指纹。这很好用，但是如果客户端通过 ssh 连接到服务器，服务器会提供ssh-ecdsa算法。我想配置只有 ssh-ed25519 并且ssh-rsa 是受支持算法的 ssh 守护进程。对于 Ubuntu 16.04，我使用 ssh 配置密钥HostKeyAlgorithms，但如果我在 Debian 上使用此密钥，我将无法启动守护进程。

为什么守护程序不支持此配置密钥，或者我必须使用其他配置密钥来仅支持 ssh-ed25519 和 ssh-rsa 算法？

这是我的 sshd_config

AcceptEnv LANG LC_*
AuthorizedKeysFile  %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
HostbasedAuthentication no
HostKey         /etc/ssh/ssh_host_rsa_key
HostKey         /etc/ssh/ssh_host_dsa_key
HostKey         /etc/ssh/ssh_host_ecdsa_key
HostKey         /etc/ssh/ssh_host_ed25519_key
#HostKeyAlgorithms  ssh-ed25519,ssh-rsa
KeyRegenerationInterval 3600
LoginGraceTime      120
LogLevel                INFO
MaxAuthTries        10
MaxSessions     5
PasswordAuthentication  no
PermitEmptyPasswords    no
PermitRootLogin     without-password
Port            22
PrintMotd               no
PrintLastLog        no
Protocol        2
RSAAuthentication   no
PubkeyAuthentication    yes
ServerKeyBits       4096
StrictModes     yes
SyslogFacility          AUTH
RhostsRSAAuthentication no
Subsystem       sftp /usr/lib/openssh/sftp-server
TCPKeepAlive        yes
UsePAM          no
UsePrivilegeSeparation  yes