From d5ed4d4ff8e4015ec0a215008af9fa3b1b761ca6 Mon Sep 17 00:00:00 2001 From: Nashwan Azhari Date: Wed, 16 Oct 2024 19:45:06 +0300 Subject: [PATCH] fix: ensure nf_conntrack module loaded for kubelite. This patch ensures that the `nf_conntrack` kernel module is loaded before `kubelite` is started as the ProxyServer needs to read some conntrack module-related params from procfs. Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways `nf_conntrack` gets loaded transparently: * Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368) after a small startup delay, whose dependency tree includes `nf_conntrack` * starting firewalld/ufw/most other firewall services * setting iptables/nftables rules which imply session tracking By explicitly loading `nf_conntrack` before starting `kubelite`, it should ensure the procfs values ther ProxyServer reads are always present on startup. Signed-off-by: Nashwan Azhari --- microk8s-resources/wrappers/run-kubelite-with-args | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/microk8s-resources/wrappers/run-kubelite-with-args b/microk8s-resources/wrappers/run-kubelite-with-args index c13e4d4d5d..9983d46cf0 100755 --- a/microk8s-resources/wrappers/run-kubelite-with-args +++ b/microk8s-resources/wrappers/run-kubelite-with-args @@ -204,6 +204,19 @@ then fi fi +# kube-proxy reads some values related to the 'nf_conntrack' kernel +# module from procfs on startup, so we must ensure it is loaded: +if ! [ -f /proc/sys/net/netfilter/nf_conntrack_max ] +then + if /sbin/modprobe nf_conntrack || modprobe nf_conntrack + then + echo "Successfully loaded nf_conntrack module." + else + echo -n "Failed to load nf_conntrack kernel module. " + echo "ProxyServer will fail to start until it's loaded." + fi +fi + # on lxc containers do not try to change the conntrack configuration # see https://github.com/canonical/microk8s/issues/1438 if grep -E lxc /proc/1/environ &&