You can't get there from here: solving kubernetes flannel configuration issues

After following the Kubernetes (K8) Documentation for installing K8 on bare-metal Ubuntu nodes, I encountered some difficulties getting Services to work properly, and getting containers on different nodes to see each other.

With the help of Justin Santa Barbara <> in the K8 #kubernetes-users Slack channel, I was able to determine my flannel overlay network was misconfigured.  (Previously I had assumed it was working OK, because I could create and manage replication controllers, pods, etc. with no problems.)

Basically, containers could see the Internet, but could not see each other unless two pods happened to land on the same node.  Services created via the K8 API were not network-visible outside the node either, whether inside or outside the cluster.

Solving the immediate problem

I'm not sure how that configuration got messed up, but I suspect it was when I installed the latest version of docker from the Docker-managed PPA .  In order to fix it, here's what I did:

  • I stopped all current replication controllers and my gluster volume. Just in case I screwed something up, I didn't want to accidentally create a split brain.
  • I stopped the flannel daemons on all nodes participating in the cluster.
  • I used /opt/bin/etcdctl to reconfigure the network range under the key "/" -- specifying a range that did not conflict with existing private-addressing schemes on the LAN.
  • After taking note of how to restore the entries just in case, I used /opt/bin/etcdctl to delete all existing subnet leases.  After reading up on flannel a bit, the configuration is actually pretty simple. I would liken it to the way that DHCP assigns IPs from a range; flannel, communicating via etcd, assigns subnet ranges to participating nodes in the same way.  (I also tried to configure it for host-gw networking, since my flat layer 2 network should permit that, but I couldn't get it to work and switched back to vxlan, which seems to work fine.)
  • I restarted the flannel daemons on all hosts, making sure that /etc/default/flanneld contained correct etcd-endpoints and iface lines on all nodes.  (My bare-metal nodes have two ethernet adapters; I've configured the secondary adapter on each node to serve as an isolated network just for gluster nodes to talk to each other.)
  • I looked at /opt/bin/etcdctl ls / to make sure the old subnet info hadn't re-created itself somehow, and to make sure that new leases were being assigned out of the newly configured range.
  • I noted the range assigned to each node, which you could tell by looking at the output of ifconfig and looking for the flannel.1 adapter.
  • Docker, running on each node, needs to use an IP from the node's assigned flannel subnet as its bridge address for docker0.  Flannel writes this info to /run/flannel/subnet.env but I couldn't figure out how to get the docker daemon (in the amount of time I had) to read those values. Apparently whatever startup process that reads /etc/default/docker does not evaluate that file as shell -- I couldn't get it to expand the environment variables.  But, since I knew the subnet range assigned to each node, I just configured the --bip parameter for each node by hand. (This is a very small cluster and this method obviously would not work for anything more than a few nodes.)
  • I restarted the docker daemon on each node so it would pick up the new configuration, and confirmed that the correct docker0 address had been assigned through ifconfig.  It was.
  • I spun up a container with an exposed port and confirmed that I could reach that port from another node in the cluster, and I could.  I created a type:NodePort k8 service entry to expose that port to the rest of the world, and that worked also.  Finally I confirmed that I could reach the exposed service through any node in the cluster when connecting to the correct port.  Previously none of this had worked, but now it does.

  Here are the rc and service YML files I used:


During this process, looking at the logs in /var/log/upstart/docker.log and /var/log/upstart/flanneld.log were invaluable.

It seems like there should be some kind of config lint tool for flannel/kubernetes installs that warn of problems like this ... until I poked around looking for the problem, I never got any messages that anything was wrong! Automated installs are great but if you don't understand what they are doing under the hood, and they get messed up, they are tough to debug.