[Backport 1.29] fix: ensure nf_conntrack module loaded for kubelite.#4726
Merged
bschimke95 merged 1 commit intocanonical:1.29from Oct 29, 2024
Merged
[Backport 1.29] fix: ensure nf_conntrack module loaded for kubelite.#4726bschimke95 merged 1 commit intocanonical:1.29from
bschimke95 merged 1 commit intocanonical:1.29from
Conversation
This patch ensures that the `nf_conntrack` kernel module is loaded before `kubelite` is started as the ProxyServer needs to read some conntrack module-related params from procfs. Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways `nf_conntrack` gets loaded transparently: * Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368) after a small startup delay, whose dependency tree includes `nf_conntrack` * starting firewalld/ufw/most other firewall services * setting iptables/nftables rules which imply session tracking By explicitly loading `nf_conntrack` before starting `kubelite`, it should ensure the procfs values ther ProxyServer reads are always present on startup. Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This patch ensures that the
nf_conntrackkernel module is loaded beforekubeliteis started as the ProxyServer needs to read some conntrack module-related params from procfs.Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways
nf_conntrackgets loaded transparently:iptable_natafter a small startup delay, whose dependency tree includesnf_conntrackBy explicitly loading
nf_conntrackbefore startingkubelite, it should ensure the procfs values ther ProxyServer reads are always present on startup.Summary
Changes
Testing
Possible Regressions
Checklist
Notes