Allow kube-proxy to change nf_conntrack_max on lxc (#2777) (#2908)

* Allow kube-proxy to change nf_conntrack_max on lxc * If you detect we are on lxc do not try set any conntrack params Co-authored-by: Konstantinos Tsakalozos <kos.tsakalozos@canonical.com>
canonical · Feb 9, 2022 · 82e2f88 · 82e2f88
1 parent 90ee933
commit 82e2f88
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/microk8s-resources/wrappers/run-kubelite-with-args b/microk8s-resources/wrappers/run-kubelite-with-args
@@ -155,6 +155,14 @@ then
   fi
 fi
 
+# on lxc containers do not try to change the conntrack configuration
+# see https://github.com/ubuntu/microk8s/issues/1438
+if grep -E lxc /proc/1/environ &&
+  ! grep -E "conntrack-max-per-core" $SNAP_DATA/args/kube-proxy
+then
+  refresh_opt_in_local_config "conntrack-max-per-core" "0" kube-proxy
+fi
+
 if ! [ -f /proc/sys/net/bridge/bridge-nf-call-iptables ]
 then
   if ! modprobe br_netfilter

diff --git a/tests/lxc/microk8s-zfs.profile b/tests/lxc/microk8s-zfs.profile
@@ -31,4 +31,7 @@ devices:
     path: /sys/fs/bpf
     source: /sys/fs/bpf
     type: disk
-
+  aadisable5:
+    path: /proc/sys/net/netfilter/nf_conntrack_max
+    source: /proc/sys/net/netfilter/nf_conntrack_max
+    type: disk
diff --git a/tests/lxc/microk8s.profile b/tests/lxc/microk8s.profile
@@ -27,3 +27,7 @@ devices:
     path: /sys/fs/bpf
     source: /sys/fs/bpf
     type: disk
+  aadisable4:
+    path: /proc/sys/net/netfilter/nf_conntrack_max
+    source: /proc/sys/net/netfilter/nf_conntrack_max
+    type: disk