You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The messages are followed by 2 others when they happen so I'm including them for completeness (the order is out of my Loki/Grafana deployment so newest message first). Group of all 3 looks like this..
They were happening every 5 minutes or so and initially I was worried that something public had created a path to the Calico network (I just installed the stock thing with default CNI and haven't used Calico in any depth so need to do a bit more studying for my own piece of mind now to understand what it is and isn't capable of - I'm more familair with Cilium and what Istio can do in multi cluster environments).
Having left tcpdump looking for DNS traffic out of these nodes I picked up connectivity-check.ubuntu.com because the PTR records for the addresses in my logs were all over the Canonical zone but on checking the addresses for this record they all matched.
It is caused by NetworkManager connectivity check attempting to reach connectivity-check.ubuntu.com on each interface, it appears to confuse the hell out of calico and I suspect that the public addresses that match that host name might be ones in the connection table in CLOSE_WAIT state.
What Should Happen Instead?
A more informed analysis by somebody who has gone deeper into Calico and possibly some prominent note, warning or documentation if these checks are left active.
Reproduction Steps
Stock install of Ubuntu LTS 22.04. (it may be significant that I built the main node initially with a Gnome desktop I'm not sure if this explcitly enables the checks or if they are on by default)
Add microk8s
Watch logs
Introspection Report
n/a
Can you suggest a fix?
Option to disable the checks when microk8s is installed from snap. These messages dissapear once that is disabled (I just made interval=0 as this was the most fully documented vs enabled which didn't specify yes/no/true/false variants - again docs could be improved, leaving the uri for future reference).
Summary
I found an initially worrying set of events being logged with various public ranges from calico-node - stock install with microk8s on 22.04 LTS.
They look like this..
The messages are followed by 2 others when they happen so I'm including them for completeness (the order is out of my Loki/Grafana deployment so newest message first). Group of all 3 looks like this..
They were happening every 5 minutes or so and initially I was worried that something public had created a path to the Calico network (I just installed the stock thing with default CNI and haven't used Calico in any depth so need to do a bit more studying for my own piece of mind now to understand what it is and isn't capable of - I'm more familair with Cilium and what Istio can do in multi cluster environments).
Having left tcpdump looking for DNS traffic out of these nodes I picked up connectivity-check.ubuntu.com because the PTR records for the addresses in my logs were all over the Canonical zone but on checking the addresses for this record they all matched.
It is caused by NetworkManager connectivity check attempting to reach connectivity-check.ubuntu.com on each interface, it appears to confuse the hell out of calico and I suspect that the public addresses that match that host name might be ones in the connection table in CLOSE_WAIT state.
What Should Happen Instead?
A more informed analysis by somebody who has gone deeper into Calico and possibly some prominent note, warning or documentation if these checks are left active.
Reproduction Steps
Introspection Report
n/a
Can you suggest a fix?
Option to disable the checks when microk8s is installed from snap. These messages dissapear once that is disabled (I just made interval=0 as this was the most fully documented vs enabled which didn't specify yes/no/true/false variants - again docs could be improved, leaving the uri for future reference).
Are you interested in contributing with a fix?
Probably not needed and/or up to maintainers on direction that they may wish to take on this issue.
The text was updated successfully, but these errors were encountered: