Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

don't set conntrack parameters in kube-proxy #2241

Merged
merged 1 commit into from
May 12, 2021
Merged

don't set conntrack parameters in kube-proxy #2241

merged 1 commit into from
May 12, 2021

Conversation

aojea
Copy link
Contributor

@aojea aojea commented May 11, 2021

It seems the kernel doesn't allow to set some conntrack fields
from non-init netns:

netfilter: conntrack: Make global sysctls readonly in non-init netns
torvalds/linux@671c54e

By default kube-proxy tries to set them, hence failing and the pods
crashlooping.

We can configure kube-proxy to net try to set these values in kubeadm.

Fixes: #2240

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 11, 2021
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 11, 2021
@aojea
Copy link
Contributor Author

aojea commented May 11, 2021

/assign @BenTheElder

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 11, 2021
@aojea
Copy link
Contributor Author

aojea commented May 11, 2021

/hold
the 3 jobs fail the conntrack test

May 11 20:33:40.355: no valid conntrack entry for port 11302 on node 172.18.0.3: wrong TCP CLOSE_WAIT timeout: 48 expected: 3600

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 11, 2021
@ghost ghost mentioned this pull request May 12, 2021
Closed
@aojea
don't set conntrack parameters in kube-proxy
a66e833 
It seems the kernel doesn't allow to set some conntrack fields
from non-init netns because they are global, so setting it in a
namespaces leaks it to other namespace:

netfilter: conntrack: Make global sysctls readonly in non-init netns
torvalds/linux@671c54e

By default kube-proxy tries to set nf_conntrack_max, that is readonly,
hence failing and the kproxy pods fail to start crashlooping.
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 12, 2021
@aojea
Copy link
Contributor Author

aojea commented May 12, 2021

/hold cancel
it seems that only nf_conntrack_max is global, we can set the tcp close wait

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 12, 2021
@aojea
Copy link
Contributor Author

aojea commented May 12, 2021

/assign @BenTheElder

@BenTheElder
Copy link
Member

/lgtm
/approve
thank you!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 12, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, BenTheElder

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 515fb3a into kubernetes-sigs:main May 12, 2021
@prezha prezha mentioned this pull request May 15, 2021
Merged
@kpango kpango mentioned this pull request May 16, 2021
Closed
@randomvariable randomvariable mentioned this pull request Jun 2, 2021
Closed
bk201 added a commit to bk201/harvester that referenced this pull request Jun 7, 2021
@bk201
Bump kind to 0.11.1
416e78f 
Skip setting `net.netfilter.nf_conntrack_max` sysctl parameter.
Setting this parameter causes Kind cluster initialization failure
on newer kernels.

Please see kubernetes-sigs/kind#2241 for more
information.

Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
@bk201 bk201 mentioned this pull request Jun 7, 2021
Merged
bk201 added a commit to bk201/harvester that referenced this pull request Jun 7, 2021
@bk201
Bump kind to 0.11.1
90d99bc 
Skip setting `net.netfilter.nf_conntrack_max` sysctl parameter.
Setting this parameter causes Kind cluster initialization failure
on newer kernels.

Please see kubernetes-sigs/kind#2241 for more
information.

Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
gitlawr pushed a commit to harvester/harvester that referenced this pull request Jun 7, 2021
@bk201 @gitlawr
Bump kind to 0.11.1
8cfc827 
Skip setting `net.netfilter.nf_conntrack_max` sysctl parameter.
Setting this parameter causes Kind cluster initialization failure
on newer kernels.

Please see kubernetes-sigs/kind#2241 for more
information.

Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
@Napsty Napsty mentioned this pull request Jun 24, 2021
Closed
@stmcginnis stmcginnis mentioned this pull request Jun 29, 2021
Closed
@KanShiori KanShiori mentioned this pull request Jul 8, 2021
Merged
10 tasks
This was referenced Jul 8, 2021
Merged
Merged
nelljerram pushed a commit to projectcalico/node that referenced this pull request Jul 27, 2021
Tell kube-proxy not to try to set nf_conntrack_max
ca218f9 
For kube-proxy not becoming ready, like this:

    semaphore@semaphore-vm:~$ kubectl logs kube-proxy-42v55 -n kube-system
    I0727 19:55:26.230888       1 node.go:135] Successfully retrieved node IP: 172.17.0.2
    I0727 19:55:26.230923       1 server_others.go:172] Using ipvs Proxier.
    I0727 19:55:26.230930       1 server_others.go:174] creating dualStackProxier for ipvs.
    W0727 19:55:26.232364       1 proxier.go:420] IPVS scheduler not specified, use rr by default
    W0727 19:55:26.232522       1 proxier.go:420] IPVS scheduler not specified, use rr by default
    W0727 19:55:26.232538       1 ipset.go:107] ipset name truncated; [KUBE-6-LOAD-BALANCER-SOURCE-CIDR] -> [KUBE-6-LOAD-BALANCER-SOURCE-CID]
    W0727 19:55:26.232546       1 ipset.go:107] ipset name truncated; [KUBE-6-NODE-PORT-LOCAL-SCTP-HASH] -> [KUBE-6-NODE-PORT-LOCAL-SCTP-HAS]
    I0727 19:55:26.232648       1 server.go:571] Version: v1.17.0
    I0727 19:55:26.232963       1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072
    F0727 19:55:26.232982       1 server.go:485] open /proc/sys/net/netfilter/nf_conntrack_max: permission denied

See kubernetes-sigs/kind#2240 and
kubernetes-sigs/kind#2241.
@brandond brandond mentioned this pull request Jul 30, 2021
Merged
Brian-McM pushed a commit to projectcalico/node that referenced this pull request Aug 5, 2021
@Brian-McM
Tell kube-proxy not to try to set nf_conntrack_max
c94916a 
For kube-proxy not becoming ready, like this:

    semaphore@semaphore-vm:~$ kubectl logs kube-proxy-42v55 -n kube-system
    I0727 19:55:26.230888       1 node.go:135] Successfully retrieved node IP: 172.17.0.2
    I0727 19:55:26.230923       1 server_others.go:172] Using ipvs Proxier.
    I0727 19:55:26.230930       1 server_others.go:174] creating dualStackProxier for ipvs.
    W0727 19:55:26.232364       1 proxier.go:420] IPVS scheduler not specified, use rr by default
    W0727 19:55:26.232522       1 proxier.go:420] IPVS scheduler not specified, use rr by default
    W0727 19:55:26.232538       1 ipset.go:107] ipset name truncated; [KUBE-6-LOAD-BALANCER-SOURCE-CIDR] -> [KUBE-6-LOAD-BALANCER-SOURCE-CID]
    W0727 19:55:26.232546       1 ipset.go:107] ipset name truncated; [KUBE-6-NODE-PORT-LOCAL-SCTP-HASH] -> [KUBE-6-NODE-PORT-LOCAL-SCTP-HAS]
    I0727 19:55:26.232648       1 server.go:571] Version: v1.17.0
    I0727 19:55:26.232963       1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072
    F0727 19:55:26.232982       1 server.go:485] open /proc/sys/net/netfilter/nf_conntrack_max: permission denied

See kubernetes-sigs/kind#2240 and
kubernetes-sigs/kind#2241.
@SataQiu SataQiu mentioned this pull request Mar 27, 2022
Merged
@ernado ernado mentioned this pull request Dec 26, 2023
Closed
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amwat amwat Awaiting requested review from amwat

@munnerz munnerz Awaiting requested review from munnerz

Assignees

@BenTheElder BenTheElder

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CrashLoopBackOff Error in kube-proxy with kernel versions 5.12.2.arch1-1 and 5.10.35-1-lts
3 participants
@aojea @BenTheElder @k8s-ci-robot