- Containers do not have network connectivity
- Running sudo calicoctl with environment variables
- calico/node is not ready: BIRD is not ready: BGP not established with 10.0.0.1
- Collecting diagnostics
- Tuning conntrack
Containers do not have network connectivity
Check for mismatched node names
If you notice that a workload has not received network connectivity, check that the node name for that host is properly configured. The name for the node resource must match the node name in the workload endpoint resources on that host. If the names are mismatched, it is likely that all workloads on that node will not receive networking.
To check this, query one of the broken workload endpoints and check its node name:
calicoctl get workloadendpoints -n <namespace>
Then, check to see if a single corresponding node resource exists:
calicoctl get nodes
If the node resource either does not exist or there are multiple node resources representing the bad node, it is likely that the node’s hostname has changed. This often happens as a result of switching a node’s hostname between its FQDN and its short DNS name.
To correct this, you must perform the following steps (with examples shown using Kubernetes):
- Prevent new workloads from being scheduled on the bad node.
kubectl cordon mynode.internal.projectcalico.org
- Drain all workloads from the node.
kubectl drain mynode.internal.projectcalico.org --ignore-daemonsets
- On the bad node, set the hostname to the desired value.
sudo hostnamectl set-hostname <desired-hostname>
- Delete the bad node configuration from Calico.
calicoctl delete node <name-of-bad-node>
- Restart calico/node on the bad node to pick up the changes.
kubectl delete pod -n kube-system <name-of-calico-pod>
- Reenable scheduling of worklods on the node.
kubectl uncordon mynode.internal.projectcalico.org
To prevent this problem from occurring, we recommend always mounting the
/var/lib/calico directory into the
container when installing Calico. This allows all components to detect and use the same node name. See
node name determination for more information.
Check BGP peer status
If you have connectivity between containers on the same host, and between containers and the Internet, but not between containers on different hosts, it probably indicates a problem in your BGP configuration.
calicoctl node status on each host. It should include output like this:
If you do not see this, please check the following.
Make sure there is IP connectivity between your hosts.
Make sure your network allows the requisite BGP traffic on TCP port 179.
Configure NetworkManager before attempting to use Calico networking.
NetworkManager manipulates the routing table for interfaces in the default network namespace where Calico veth pairs are anchored for connections to containers. This can interfere with the Calico agent’s ability to route correctly.
Create the following configuration file at
/etc/NetworkManager/conf.d/calico.conf to prevent
NetworkManager from interfering with the interfaces:
Running sudo calicoctl with environment variables
If you use
sudo for commands like
calicoctl node run, remember that your environment
variables will not be transferred to the
sudo environment. You can run
-E flag to include your environment variables:
sudo -E calicoctl node run
or you can set environment variables for
sudo commands like this:
sudo ETCD_ENDPOINTS=http://172.25.0.1:2379 calicoctl node run
Also be aware that connection information can be specified as a config file rather than using environment variables. See Installing calicoctl for details.
calico/node is not ready: BIRD is not ready: BGP not established with 10.0.0.1
The calico/node container may report an “unready” status in Kubernetes with this message. In most cases, this means a particular peer is unreachable in the cluster. Users should ensure BGP connectivity between the two peers is allowed in their environment.
This can also occur when inactive Node resources are configured when using node-to-node mesh. Resolve cases like this by decommissioning the stale nodes.
Lastly this can occur when BGP connections to non-mesh peers go down. If this is a common occurrence in your BGP topology, you can disable BIRD readiness checks. See node readiness for more information.
If you hit problems, please raise an issue in GitHub.
Diagnostics can be collected using the calicoctl command line tool. This should be run with superuser privileges, for example:
sudo calicoctl node diags
A common problem on Linux systems is running out of space in the conntrack table, which can cause poor iptables performance. This can happen if you run a lot of workloads on a given host, or if your workloads create a lot of TCP connections or bidirectional UDP streams.
To avoid this becoming a problem, we recommend increasing the conntrack table size. To do so, run the following commands:
sysctl -w net.netfilter.nf_conntrack_max=1000000 echo "net.netfilter.nf_conntrack_max=1000000" >> /etc/sysctl.conf