Merge "Fix nf_conntrack_buckets sysctl in Amphora"

elements/haproxy-octavia/post-install.d/20-haproxy-tune-kernel

@@ -16,7 +16,6 @@ sysctl-write-value fs.file-max 2097152
 sysctl-write-value fs.nr_open 2097152
 
 # It's ok for these to fail if conntrack module isn't loaded
-sysctl-write-value net.netfilter.nf_conntrack_buckets 125000 || true
 sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_time_wait 5 || true
 sysctl-write-value net.netfilter.nf_conntrack_tcp_timeout_fin_wait 5 || true
 

octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2

@@ -10,6 +10,10 @@ RemainAfterExit=yes
 ExecStart=-/sbin/ip netns add {{ amphora_nsname }}
 # Load the system sysctl into the new namespace
 ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system
+# Set nf_conntrack_buckets sysctl in the main namespace (nf_conntrack_buckets
+# cannot be set in another net namespace, but its value is inherited from the
+# main namespace)
+ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000
 # Enable kernel module ip_vs for lvs function in amphora network namespace
 ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs
 # Enable ip_forward and conntrack kernel configuration

releasenotes/notes/fix-nf_conntrack_buckets-sysctl-75ae6dbb9d052863.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix nf_conntrack_buckets sysctl in the Amphora, its value was incorrectly
+    set.