From f9c88a17ba071e591c0b6175eb4de4fda916828e Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Fri, 1 Apr 2022 06:56:54 +0200 Subject: [PATCH] Fix PING health-monitor with recent Centos releases Centos 8 Stream removed the capabilities to open raw sockets from the ping binary and added new sysctl default to allow an unprivileged user to send ping request. This sysctl was not inherited by the amphora-haproxy namespace. Add it explicitly to our sysctl list. Story 2009953 Task 44911 Change-Id: I499bdd5edc23b602495a9b2b9f22baf9547261d5 (cherry picked from commit cbf79c5627e1888611f9212a539b56ceaba1bfeb) (cherry picked from commit 8cd697e8bf7b91d1d010a3968a440358e8e12dbb) (cherry picked from commit 2e5bc334942b873d6ba7926f45b71ac80d545a47) (cherry picked from commit 71acdb46604287130c6d7fc9a376f8289267b93a) --- .../haproxy-octavia/post-install.d/20-haproxy-tune-kernel | 8 ++++++++ .../fix-ping-hm-on-centos-stream-6624f19c8da86e22.yaml | 6 ++++++ 2 files changed, 14 insertions(+) create mode 100644 releasenotes/notes/fix-ping-hm-on-centos-stream-6624f19c8da86e22.yaml diff --git a/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel b/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel index da0bbd2a47..0a97be4c79 100755 --- a/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel +++ b/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel @@ -30,3 +30,11 @@ sysctl-write-value net.core.wmem_max 67108864 sysctl-write-value net.ipv4.tcp_rmem "4096 87380 33554432" sysctl-write-value net.ipv4.tcp_wmem "4096 87380 33554432" sysctl-write-value net.ipv4.ip_local_port_range "1025 65534" + +# Allow unprivileged users to send ICMP echo requests +# https://bugzilla.redhat.com/show_bug.cgi?id=2037807 +# This sysctl is already included in /usr/lib/sysctl.d/50-default.conf on Centos +# 8 Stream (with a '-'' prefix that prevents sysctl from throwing an error if +# the setting doesn't exist in the kernel), but sysctl --system doesn't apply it +# correctly when creating the amphora-haproxy namespace. +sysctl-write-value net.ipv4.ping_group_range "0 2147483647" diff --git a/releasenotes/notes/fix-ping-hm-on-centos-stream-6624f19c8da86e22.yaml b/releasenotes/notes/fix-ping-hm-on-centos-stream-6624f19c8da86e22.yaml new file mode 100644 index 0000000000..e8b775b4b9 --- /dev/null +++ b/releasenotes/notes/fix-ping-hm-on-centos-stream-6624f19c8da86e22.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fix an issue with PING health-monitors on Centos 8 Stream. Changes in + Centos and systemd prevent an unprivileged user from sending ping requests + from a network namespace.