diff --git a/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel b/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel index e08cb16b2d..00f68cc508 100755 --- a/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel +++ b/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel @@ -16,7 +16,6 @@ sysctl-write-value fs.file-max 2097152 sysctl-write-value fs.nr_open 2097152 # It's ok for these to fail if conntrack module isn't loaded -sysctl-write-value net.netfilter.nf_conntrack_buckets 125000 || true sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_time_wait 5 || true sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_fin_wait 5 || true diff --git a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 index c31296ff02..552993df85 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 @@ -10,6 +10,10 @@ RemainAfterExit=yes ExecStart=-/sbin/ip netns add {{ amphora_nsname }} # Load the system sysctl into the new namespace ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system +# Set nf_conntrack_buckets sysctl in the main namespace (nf_conntrack_buckets +# cannot be set in another net namespace, but its value is inherited from the +# main namespace) +ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000 # Enable kernel module ip_vs for lvs function in amphora network namespace ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs # Enable ip_forward and conntrack kernel configuration diff --git a/releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml b/releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml new file mode 100644 index 0000000000..2ce22e5c9c --- /dev/null +++ b/releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fix nf_conntrack_buckets sysctl in the Amphora, its value was incorrectly + set.