Check for running firewall and warn in installer

[wstephenson]

Proposed Changes

What

Warn user during install if a running firewall is detected.

Why

K3s changes iptables rules itself, so it's not desirable to have a firewall managing them at the same time. If a firewall is running, additional rules are necessary so that K3s internal routing works.

This is documented at https://docs.k3s.io/installation/requirements, but if a firewall is active these rules are not added, routing between pods and services will fail in an opaque way.

This change adds a check at install time for enabled firewalld and ufw, and warns with a link to the above docs, so that users who (like me) fail to read the docs or are only following the Quickstart guide are not confounded.

Types of Changes

• runtime warning during installer

Verification

• suse/rhel: sudo systemctl enable firewalld and run installer, check for new warning
• debian/ubuntu: sudo ufw enable and run installer, check for new warning

Testing

Tested manually on both openSUSE and Ubuntu 24.04. I looked into adding tests to the Vagrant based automated tests, but these currently lack infrastructure for testing the behaviour of the installer script.

Linked Issues

User-Facing Change

Warn in installer if a running firewall is detected.

Further Comments

[wstephenson]

CI is breaking on the installer checksum check; I haven't found where I can update that checksum.

[dereknola]

Its here https://github.com/k3s-io/k3s/blob/master/install.sh.sha256sum

[wstephenson]

Thanks, was overthinking it that the checksums would have to be stored externally to the repo somewhere.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.44%. Comparing base (d08bf6c) to head (fa315a1).

❗ There is a different number of reports uploaded between BASE (d08bf6c) and HEAD (fa315a1). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (d08bf6c)	HEAD (fa315a1)
e2etests	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #12847       +/-   ##
===========================================
- Coverage   40.57%   20.44%   -20.14%     
===========================================
  Files         185      182        -3     
  Lines       18931    18863       -68     
===========================================
- Hits         7681     3856     -3825     
- Misses      10069    14571     +4502     
+ Partials     1181      436      -745     

Flag	Coverage Δ
e2etests	?
unittests	20.44% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[wstephenson]

Failed in "startup tests when a server with kine-tls is created [It] has the default pods deployed" connecting to the cluster. Is this test flickering? Can I re-trigger it? It doesn't look related to my changes.