From 64a301d4ec85a1bc9b208e60d7958a89e6972976 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Fri, 28 Aug 2020 18:45:40 +0200 Subject: [PATCH] Fix nf_conntrack_buckets sysctl in Amphora Setting nf_conntrack_buckets in the amphora namespace fails because this sysctl can only be set in the initial namespace (cf kernel doc at https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt) This commit allows to set nf_conntrack_buckets in the initial namespace, the value is then inherited by other namespaces. Conntrack is not enabled in the main namespace, the new default value doesn't affect this namespace behavior. Story: 2008028 Task: 40682 Change-Id: Ie6ccc4bf0017587df8e8e29d8ee3bf5c19e6d615 --- .../haproxy-octavia/post-install.d/20-haproxy-tune-kernel | 1 - .../agent/api_server/templates/amphora-netns.systemd.j2 | 4 ++++ .../fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml | 5 +++++ 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml diff --git a/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel b/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel index e08cb16b2d..00f68cc508 100755 --- a/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel +++ b/elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel @@ -16,7 +16,6 @@ sysctl-write-value fs.file-max 2097152 sysctl-write-value fs.nr_open 2097152 # It's ok for these to fail if conntrack module isn't loaded -sysctl-write-value net.netfilter.nf_conntrack_buckets 125000 || true sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_time_wait 5 || true sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_fin_wait 5 || true diff --git a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 index c31296ff02..552993df85 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 @@ -10,6 +10,10 @@ RemainAfterExit=yes ExecStart=-/sbin/ip netns add {{ amphora_nsname }} # Load the system sysctl into the new namespace ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system +# Set nf_conntrack_buckets sysctl in the main namespace (nf_conntrack_buckets +# cannot be set in another net namespace, but its value is inherited from the +# main namespace) +ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000 # Enable kernel module ip_vs for lvs function in amphora network namespace ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs # Enable ip_forward and conntrack kernel configuration diff --git a/releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml b/releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml new file mode 100644 index 0000000000..2ce22e5c9c --- /dev/null +++ b/releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fix nf_conntrack_buckets sysctl in the Amphora, its value was incorrectly + set.