Fix nf_conntrack_buckets sysctl in Amphora

Setting nf_conntrack_buckets in the amphora namespace fails because this
sysctl can only be set in the initial namespace (cf kernel doc at
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt)

This commit allows to set nf_conntrack_buckets in the initial namespace,
the value is then inherited by other namespaces.

Conntrack is not enabled in the main namespace, the new default value
doesn't affect this namespace behavior.

Story: 2008028
Task: 40682

Change-Id: Ie6ccc4bf0017587df8e8e29d8ee3bf5c19e6d615

elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel

@@ -16,7 +16,6 @@ sysctl-write-value fs.file-max 2097152
 sysctl-write-value fs.nr_open 2097152
 
 # It's ok for these to fail if conntrack module isn't loaded
-sysctl-write-value net.netfilter.nf_conntrack_buckets 125000 || true
 sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_time_wait 5 || true
 sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_fin_wait 5 || true
 

octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2

@@ -10,6 +10,10 @@ RemainAfterExit=yes
 ExecStart=-/sbin/ip netns add {{ amphora_nsname }}
 # Load the system sysctl into the new namespace
 ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system
+# Set nf_conntrack_buckets sysctl in the main namespace (nf_conntrack_buckets
+# cannot be set in another net namespace, but its value is inherited from the
+# main namespace)
+ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000
 # Enable kernel module ip_vs for lvs function in amphora network namespace
 ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs
 # Enable ip_forward and conntrack kernel configuration

releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix nf_conntrack_buckets sysctl in the Amphora, its value was incorrectly
+    set.