Merge "Set sensible nf_conntrack_max value in amphora" into stable/xena

octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2

@@ -14,6 +14,9 @@ ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system
 # cannot be set in another net namespace, but its value is inherited from the
 # main namespace)
 ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000
+# Update conntrack table sizes using the formula for the default values
+ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_max=125000
+ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_expect_max=488
 # Enable kernel module ip_vs for lvs function in amphora network namespace
 ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs
 # Enable ip_forward and conntrack kernel configuration

releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml

@@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The fix that updates the Netfilter Conntrack Sysfs variables requires
+    rebuilding the amphora image in order to be effective.
+fixes:
+  - |
+    Netfilter Conntrack Sysfs variables net.netfilter.nf_conntrack_max and
+    nf_conntrack_expect_max get set to sensible values on the amphora now.
+    Previously, kernel default values were used which were much too low for the
+    configured net.netfilter.nf_conntrack_buckets value. As a result packets
+    could get dropped because the conntrack table got filled too quickly. Note
+    that this affects only UDP and SCTP protocol listeners.
+    Connection tracking is disabled for TCP-based connections on the
+    amphora including HTTP(S).