OS-Level Preparation

Additional OS-level configuration is required before installation begins. Steps differ by Linux distribution.

OS Required Steps

Ubuntu

OS	Required Steps
Ubuntu	Disable and stop `ufw`: `sudo ufw disable sudo ufw stop` Disable `systemd-resolved`: `sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved` Disable `apparmor`: `sudo systemctl disable apparmor sudo systemctl stop apparmor` Ensure the `/var` partition does not have the `noexec` flag set.
RHEL/CentOS/Oracle Linux	Disable `firewalld`: `systemctl disable firewalld --now` Disable `fapolicyd`: `systemctl disable fapolicyd.service` Disable `nm-cloud-setup` and reboot: `systemctl disable nm-cloud-setup.service nm-cloud-setup.timer reboot` Check FIPS mode. If FIPS is enabled, K3s workloads will crash at startup. Check with: `sysctl crypto.fips_enabled` A value of `1` means FIPS is enabled. Refer to How to disable FIPS in RHEL/CentOS to resolve this before proceeding. Check iptables version. RHEL systems running iptables 1.8.4 have known bugs affecting firewall routing and network reachability. Configure K3s to use its bundled version by adding `--prefer-bundled-bin` to the K3s service and restarting: `cat /etc/systemd/system/k3s.service # Add '--prefer-bundled-bin' to ExecStart line sudo systemctl daemon-reload sudo systemctl stop k3s sudo systemctl start k3s` If using a dedicated `/var/lib/rancher` partition, ensure it is NOT mounted with the `noexec` flag in `/etc/fstab`.

Disable and stop ufw:

sudo ufw disable
sudo ufw stop

Disable systemd-resolved:

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved

Disable apparmor:

sudo systemctl disable apparmor
sudo systemctl stop apparmor

Ensure the /var partition does not have the noexec flag set.

RHEL/CentOS/Oracle Linux

Disable firewalld:

systemctl disable firewalld --now

Disable fapolicyd:

systemctl disable fapolicyd.service

Disable nm-cloud-setup and reboot:

systemctl disable nm-cloud-setup.service nm-cloud-setup.timer 
reboot

Check FIPS mode. If FIPS is enabled, K3s workloads will crash at startup. Check with:

sysctl crypto.fips_enabled

A value of 1 means FIPS is enabled. Refer to How to disable FIPS in RHEL/CentOS to resolve this before proceeding.

Check iptables version. RHEL systems running iptables 1.8.4 have known bugs affecting firewall routing and network reachability. Configure K3s to use its bundled version by adding --prefer-bundled-bin to the K3s service and restarting:

cat /etc/systemd/system/k3s.service
# Add '--prefer-bundled-bin' to ExecStart line
sudo systemctl daemon-reload
sudo systemctl stop k3s
sudo systemctl start k3s

If using a dedicated /var/lib/rancher partition, ensure it is NOT mounted with the noexec flag in /etc/fstab.