/run/xtables.lock file missing after upgrading to stable 3033.2.0

[invidian]

Description

After rebooting to Flatcar stable 3033.2.0, /run/xtables.lock file is no longer present on the host due to iptables upgrade to use nftables backend.

Impact

In my case, I run kubelet in a Docker container, so I have to bind-mount /run/xtables.lock from host into kubelet container to avoid concurrent modification of iptables rules. Because of this and lack of this file after the reboot, Kubernetes node failed to come back after a reboot. Fortunately FLUO did not proceed with upgrading next nodes.

Workaround

The issue can be at least temporarily workaround by executing the following commands before the reboot for upgrade:

sudo mkdir -p /etc/systemd/system/docker.service.d

cat <<EOF | sudo tee /etc/systemd/system/docker.service.d/override.conf
[Unit]
Requries=systemd-tmpfiles-setup.service
After=systemd-tmpfiles-setup.service
EOF

cat << EOF | sudo tee /etc/tmpfiles.d/xtables-workaround.conf
f       /run/xtables.lock       0755    root    root    -       -
EOF

Additional information

Opening mainly for documentation purposes requested by @t-lo.

[pothos]

Thanks, we should keep shipping this file as long as we can assume that common containers still ship binaries that interact with xtables and should add your systemd tmpfile directive to the image.

[pothos]

The workaround is backported to the 3033 and 3066 release maintenance branches and future Stable, Beta, and Alpha releases will have it.

[invidian]

It seems this has regressed with Flatcar stable 3227.2.2?

$ kgnoowide
+ kubectl get nodes -o=wide
NAME           STATUS     ROLES    AGE    VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE                                             KERNEL-VERSION    CONTAINER-RUNTIME
controller01   NotReady   master   3m5s   v1.25.0   192.168.50.2   <none>        Flatcar Container Linux by Kinvolk 3227.2.2 (Oklo)   5.15.63-flatcar   containerd://1.6.6
...
Events:
  Type     Reason       Age                   From               Message
  ----     ------       ----                  ----               -------
  Normal   Scheduled    2m30s                 default-scheduler  Successfully assigned kube-system/kube-proxy-fv4b5 to controller01
  Warning  FailedMount  113s (x7 over 2m25s)  kubelet            MountVolume.SetUp failed for volume "xtables" : hostPath type check failed: /run/xtables.lock is not a file

EDIT:
Hmm, it actually appeared later. Odd.

[tormath1]

@invidian weird indeed. xtables.lock is created by systemd-tmpfiles maybe systemd-tmpfiles-setup.service took some time to start (because of dependencies):

$ systemctl show --property=After systemd-tmpfiles-setup
After=systemd-journald.socket setup-nsswitch.service system.slice systemd-journald.service systemd-sysusers.service systemd-journal-flush.service local-fs.target

[invidian]

I think everything is fine, sorry for the noise. kube-proxy was not starting because of some other reason and the warning keeps showing up and this is because of my setup, where kubelet simply don't have access to /run/xtables.lock as it runs inside the container.