From e231789901359228308199738d69e0d20cd372f4 Mon Sep 17 00:00:00 2001 From: Nashwan Azhari Date: Tue, 29 Oct 2024 19:34:37 +0200 Subject: [PATCH] fix: ensure nf_conntrack module loaded for kubelite. (#4732) This patch ensures that the `nf_conntrack` kernel module is loaded before `kubelite` is started as the ProxyServer needs to read some conntrack module-related params from procfs. Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways `nf_conntrack` gets loaded transparently: * Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368) after a small startup delay, whose dependency tree includes `nf_conntrack` * starting firewalld/ufw/most other firewall services * setting iptables/nftables rules which imply session tracking By explicitly loading `nf_conntrack` before starting `kubelite`, it should ensure the procfs values ther ProxyServer reads are always present on startup. Signed-off-by: Nashwan Azhari --- microk8s-resources/wrappers/run-kubelite-with-args | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/microk8s-resources/wrappers/run-kubelite-with-args b/microk8s-resources/wrappers/run-kubelite-with-args index 08a5ee472e..167bc8e62e 100755 --- a/microk8s-resources/wrappers/run-kubelite-with-args +++ b/microk8s-resources/wrappers/run-kubelite-with-args @@ -212,6 +212,19 @@ then fi fi +# kube-proxy reads some values related to the 'nf_conntrack' kernel +# module from procfs on startup, so we must ensure it is loaded: +if ! [ -f /proc/sys/net/netfilter/nf_conntrack_max ] +then + if /sbin/modprobe nf_conntrack || modprobe nf_conntrack + then + echo "Successfully loaded nf_conntrack module." + else + echo -n "Failed to load nf_conntrack kernel module. " + echo "ProxyServer will fail to start until it's loaded." + fi +fi + # on lxc containers do not try to change the conntrack configuration # see https://github.com/canonical/microk8s/issues/1438 if grep -E lxc /proc/1/environ &&