mirror of https://github.com/k3s-io/k3s
Merge pull request #44919 from kinvolk/robertgzr/kubeproxy-check-conntrack-before-write
Automatic merge from submit-queue [WIP] Skip resize of nf_conntrack/parameters/hashsize if not necessary **What this PR does / why we need it**: Linux does not support writing to `/sys/module/nf_conntrack/parameters/hashsize` when the writer process is not in the initial network namespace (https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796). Usually that's fine. But in some configurations such as with https://github.com/kinvolk/kubeadm-nspawn, kube-proxy is in another netns. Therefore, check if writing in hashsize is necessary and skip the writing if not. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note ```pull/6/head
Kubernetes Submit Queue
GitHub
commit
10704b2ae1
|
|
@ -20,6 +20,7 @@ import (
|
|||
"errors"
|
||||
"io/ioutil"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
||||
|
|
@ -48,6 +49,22 @@ func (rct realConntracker) SetMax(max int) error {
|
|||
if err := rct.setIntSysCtl("nf_conntrack_max", max); err != nil {
|
||||
return err
|
||||
}
|
||||
glog.Infof("Setting nf_conntrack_max to %d", max)
|
||||
|
||||
// Linux does not support writing to /sys/module/nf_conntrack/parameters/hashsize
|
||||
// when the writer process is not in the initial network namespace
|
||||
// (https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796).
|
||||
// Usually that's fine. But in some configurations such as with github.com/kinvolk/kubeadm-nspawn,
|
||||
// kube-proxy is in another netns.
|
||||
// Therefore, check if writing in hashsize is necessary and skip the writing if not.
|
||||
hashsize, err := readIntStringFile("/sys/module/nf_conntrack/parameters/hashsize")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if hashsize >= (max / 4) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// sysfs is expected to be mounted as 'rw'. However, it may be
|
||||
// unexpectedly mounted as 'ro' by docker because of a known docker
|
||||
// issue (https://github.com/docker/docker/issues/24000). Setting
|
||||
|
|
@ -112,6 +129,14 @@ func isSysFSWritable() (bool, error) {
|
|||
return false, errors.New("No sysfs mounted")
|
||||
}
|
||||
|
||||
func readIntStringFile(filename string) (int, error) {
|
||||
b, err := ioutil.ReadFile(filename)
|
||||
if err != nil {
|
||||
return -1, err
|
||||
}
|
||||
return strconv.Atoi(strings.TrimSpace(string(b)))
|
||||
}
|
||||
|
||||
func writeIntStringFile(filename string, value int) error {
|
||||
return ioutil.WriteFile(filename, []byte(strconv.Itoa(value)), 0640)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue