From 33eaff55fc59c711e9a74dd94f55d84a54f09f56 Mon Sep 17 00:00:00 2001 From: Tom Weininger Date: Tue, 24 May 2022 14:43:26 +0200 Subject: [PATCH] Set sensible nf_conntrack_max value in amphora This sets the values of nf_conntrack_max and nf_conntrack_expect_max to sensible values. Previously, the default values set by the kernel were used, which limited net.netfilter.nf_conntrack_max to 32768. On the other hand, Octavia sets nf_conntrack_buckets to 125000. A value of nf_conntrack_max lower than half of that makes no sense. The new values are calculated using the formula for the default value in the kernel [1]: nf_conntrack_max = nf_conntrack_buckets nf_conntrack_expect_max = nf_conntrack_buckets / 256 [1]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.rst Story: 2010050 Task: 45460 Change-Id: Id1dd029995d41e6913a07eeb120c889d71d583eb (cherry picked from commit 3d3e38afe9f0186f45e9800090afecc3aa434846) (cherry picked from commit 78603681cce95048b76e2fcfabcdb0b5baf58c51) --- .../api_server/templates/amphora-netns.systemd.j2 | 3 +++ ...nntrack-max-value-in-amp-0e16eb50b42e7b58.yaml | 15 +++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml diff --git a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 index 501c2fa660..3d1c2f1240 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 @@ -14,6 +14,9 @@ ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system # cannot be set in another net namespace, but its value is inherited from the # main namespace) ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000 +# Update conntrack table sizes using the formula for the default values +ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_max=125000 +ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_expect_max=488 # Enable kernel module ip_vs for lvs function in amphora network namespace ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs # Enable ip_forward and conntrack kernel configuration diff --git a/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml b/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml new file mode 100644 index 0000000000..8ee949b65d --- /dev/null +++ b/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml @@ -0,0 +1,15 @@ +--- +upgrade: + - | + The fix that updates the Netfilter Conntrack Sysfs variables requires + rebuilding the amphora image in order to be effective. +fixes: + - | + Netfilter Conntrack Sysfs variables net.netfilter.nf_conntrack_max and + nf_conntrack_expect_max get set to sensible values on the amphora now. + Previously, kernel default values were used which were much too low for the + configured net.netfilter.nf_conntrack_buckets value. As a result packets + could get dropped because the conntrack table got filled too quickly. Note + that this affects only UDP and SCTP protocol listeners. + Connection tracking is disabled for TCP-based connections on the + amphora including HTTP(S).