Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 1.28-strict] fix: ensure nf_conntrack module loaded for kubelite. #4733

Merged
merged 1 commit into from
Oct 29, 2024

Conversation

aznashwan
Copy link
Contributor

This patch ensures that the nf_conntrack kernel module is loaded before kubelite is started as the ProxyServer needs to read some conntrack module-related params from procfs.

Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways nf_conntrack gets loaded transparently:

  • Cilium automatically loads iptable_nat after a small startup delay, whose dependency tree includes nf_conntrack
  • starting firewalld/ufw/most other firewall services
  • setting iptables/nftables rules which imply session tracking

By explicitly loading nf_conntrack before starting kubelite, it should ensure the procfs values ther ProxyServer reads are always present on startup.

Summary

Changes

Testing

Possible Regressions

Checklist

  • Read the contributions page.
  • Submitted the CLA form, if you are a first time contributor.
  • The introduced changes are covered by unit and/or integration tests.

Notes

This patch ensures that the `nf_conntrack` kernel module is loaded
before `kubelite` is started as the ProxyServer needs to read some
conntrack module-related params from procfs.

Previously, although the it would always crashed if the module wasn't
loaded, this wasn't that common of an occurrence in practice as there
are quite a few ways `nf_conntrack` gets loaded transparently:
* Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368)
after a small startup delay, whose dependency tree includes `nf_conntrack`
* starting firewalld/ufw/most other firewall services
* setting iptables/nftables rules which imply session tracking

By explicitly loading `nf_conntrack` before starting `kubelite`,
it should ensure the procfs values ther ProxyServer reads are
always present on startup.

Signed-off-by: Nashwan Azhari <[email protected]>
Copy link
Contributor

@bschimke95 bschimke95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bschimke95 bschimke95 merged commit 0eac105 into canonical:1.28-strict Oct 29, 2024
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants