Howdy! Welcome to English. Network request failed

Rancher 2.x
1

I have installed Rancher on a 3 nodes cluster using rke up and helm. rancher.yml:

ignore_docker_version: false
ssh_key_path: .ssh/id_ecdsa
network:
  plugin: canal
  # plugin: flannel
nodes:
  - address: rr01.ac.aixigo.de
    user: debian
    role: [controlplane,worker,etcd]
  - address: rr02.ac.aixigo.de
    user: debian
    role: [controlplane,worker,etcd]
  - address: rr03.ac.aixigo.de
    user: debian
    role: [controlplane,worker,etcd]
services:
  etcd:
    snapshot: true
    creation: 6h
    retention: 24h

% helm install --name rancher rancher-latest/rancher --namespace cattle-system --set hostname=rr01.ac.aixigo.de --set ingress.tls.source=secret
NAME:   rancher
LAST DEPLOYED: Tue Jul  7 09:53:19 2020
NAMESPACE: cattle-system
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRoleBinding
NAME     ROLE                       AGE
rancher  ClusterRole/cluster-admin  0s

==> v1/Deployment
NAME     READY  UP-TO-DATE  AVAILABLE  AGE
rancher  0/3    3           0          0s

==> v1/Pod(related)
NAME                      READY  STATUS             RESTARTS  AGE
rancher-755c46c564-6mltz  0/1    ContainerCreating  0         0s
rancher-755c46c564-h6rr9  0/1    ContainerCreating  0         0s
rancher-755c46c564-x5bmx  0/1    ContainerCreating  0         0s

==> v1/Service
NAME     TYPE       CLUSTER-IP     EXTERNAL-IP  PORT(S)  AGE
rancher  ClusterIP  10.43.158.108  <none>       80/TCP   0s

==> v1/ServiceAccount
NAME     SECRETS  AGE
rancher  1        0s

==> v1beta1/Ingress
NAME     CLASS   HOSTS              ADDRESS  PORTS  AGE
rancher  <none>  rr01.ac.aixigo.de  80, 443  0s


NOTES:
Rancher Server has been installed.

NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.

Check out our docs at https://rancher.com/docs/rancher/v2.x/en/

Browse to https://rr01.ac.aixigo.de

Happy Containering!

% kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key
secret/tls-rancher-ingress created
% kubectl -n cattle-system rollout status deploy/rancher
deployment "rancher" successfully rolled out
% kubectl -n cattle-system get deploy rancher
NAME      READY   UP-TO-DATE   AVAILABLE   AGE
rancher   3/3     3            3           18m

But apparently the web interface is extremely slow. Either the browser runs into a timeout, or the Howdy screen shows a message “Network request failed”.

Rancher: rancher/hyperkube:v1.18.3-rancher2
docker-ce: 5:19.03.12~3-0~debian-buster
Hosts: Debian 10, systemd 241-7~deb10u4
/etc/docker/daemon.json

{
    "data-root": "/export/docker-data",
    "default-address-pools":[
        {"base":"172.24.0.0/14","size":24}
    ],
    "bip": "10.20.0.1/16",
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "100m"
    },
    "storage-driver": "overlay2"
}

Every helpful comment is highly appreciated

2

PS: I’d love to attach the nginx and rancher container logs, but obviously I am too blind to see how to add attachments here.

3

Solved: Apparently rancher/rke/kubernetes or some network tools included create only legacy iptables entries. Docker supports and uses the iptables as found on the host (nftables or legacy). I could register the legacy iptables utilities as default as described on https://wiki.debian.org/nftables to make it work.

iptables is version 1.8.2-4.