Set sensible nf_conntrack_max value in amphora

This sets the values of nf_conntrack_max and nf_conntrack_expect_max to sensible values. Previously, the default values set by the kernel were used, which limited net.netfilter.nf_conntrack_max to 32768. On the other hand, Octavia sets nf_conntrack_buckets to 125000. A value of nf_conntrack_max lower than half of that makes no sense. The new values are calculated using the formula for the default value in the kernel [1]: nf_conntrack_max = nf_conntrack_buckets nf_conntrack_expect_max = nf_conntrack_buckets / 256 [1]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.rst Story: 2010050 Task: 45460 Change-Id: Id1dd029995d41e6913a07eeb120c889d71d583eb
2022-05-24 14:43:26 +02:00 · 2022-05-24 14:43:26 +02:00 · 3d3e38afe9
commit 3d3e38afe9
parent 226a4001aa
2 changed files with 18 additions and 0 deletions
--- a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2
+++ b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2
@ -14,6 +14,9 @@ ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system
 # cannot be set in another net namespace, but its value is inherited from the
 # main namespace)
 ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000
+# Update conntrack table sizes using the formula for the default values
+ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_max=125000
+ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_expect_max=488
 # Enable kernel module ip_vs for lvs function in amphora network namespace
 ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs
 # Enable ip_forward and conntrack kernel configuration
--- a/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml
+++ b/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml
@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The fix that updates the Netfilter Conntrack Sysfs variables requires
+    rebuilding the amphora image in order to be effective.
+fixes:
+  - |
+    Netfilter Conntrack Sysfs variables net.netfilter.nf_conntrack_max and
+    nf_conntrack_expect_max get set to sensible values on the amphora now.
+    Previously, kernel default values were used which were much too low for the
+    configured net.netfilter.nf_conntrack_buckets value. As a result packets
+    could get dropped because the conntrack table got filled too quickly. Note
+    that this affects only UDP and SCTP protocol listeners.
+    Connection tracking is disabled for TCP-based connections on the
+    amphora including HTTP(S).