Skip to content

Commit

Permalink
fix: ensure nf_conntrack module loaded for kubelite.
Browse files Browse the repository at this point in the history
This patch ensures that the `nf_conntrack` kernel module is loaded
before `kubelite` is started as the ProxyServer needs to read some
conntrack module-related params from procfs.

Previously, although the it would always crashed if the module wasn't
loaded, this wasn't that common of an occurrence in practice as there
are quite a few ways `nf_conntrack` gets loaded transparently:
* Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368)
after a small startup delay, whose dependency tree includes `nf_conntrack`
* starting firewalld/ufw/most other firewall services
* setting iptables/nftables rules which imply session tracking

By explicitly loading `nf_conntrack` before starting `kubelite`,
it should ensure the procfs values ther ProxyServer reads are
always present on startup.

Signed-off-by: Nashwan Azhari <[email protected]>
  • Loading branch information
aznashwan committed Oct 25, 2024
1 parent 6e45809 commit 9e45755
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions microk8s-resources/wrappers/run-kubelite-with-args
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,19 @@ then
fi
fi

# kube-proxy reads some values related to the 'nf_conntrack' kernel
# module from procfs on startup, so we must ensure it is loaded:
if ! [ -f /proc/sys/net/netfilter/nf_conntrack_max ]
then
if /sbin/modprobe nf_conntrack || modprobe nf_conntrack
then
echo "Successfully loaded nf_conntrack module."
else
echo -n "Failed to load nf_conntrack kernel module. "
echo "ProxyServer will fail to start until it's loaded."
fi
fi

# on lxc containers do not try to change the conntrack configuration
# see https://github.com/canonical/microk8s/issues/1438
if grep -E lxc /proc/1/environ &&
Expand Down

0 comments on commit 9e45755

Please sign in to comment.