-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
don't set conntrack parameters in kube-proxy #2241
Conversation
/assign @BenTheElder |
/hold
|
It seems the kernel doesn't allow to set some conntrack fields from non-init netns because they are global, so setting it in a namespaces leaks it to other namespace: netfilter: conntrack: Make global sysctls readonly in non-init netns torvalds/linux@671c54e By default kube-proxy tries to set nf_conntrack_max, that is readonly, hence failing and the kproxy pods fail to start crashlooping.
/hold cancel |
/assign @BenTheElder |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, BenTheElder The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Skip setting `net.netfilter.nf_conntrack_max` sysctl parameter. Setting this parameter causes Kind cluster initialization failure on newer kernels. Please see kubernetes-sigs/kind#2241 for more information. Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
Skip setting `net.netfilter.nf_conntrack_max` sysctl parameter. Setting this parameter causes Kind cluster initialization failure on newer kernels. Please see kubernetes-sigs/kind#2241 for more information. Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
Skip setting `net.netfilter.nf_conntrack_max` sysctl parameter. Setting this parameter causes Kind cluster initialization failure on newer kernels. Please see kubernetes-sigs/kind#2241 for more information. Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
For kube-proxy not becoming ready, like this: semaphore@semaphore-vm:~$ kubectl logs kube-proxy-42v55 -n kube-system I0727 19:55:26.230888 1 node.go:135] Successfully retrieved node IP: 172.17.0.2 I0727 19:55:26.230923 1 server_others.go:172] Using ipvs Proxier. I0727 19:55:26.230930 1 server_others.go:174] creating dualStackProxier for ipvs. W0727 19:55:26.232364 1 proxier.go:420] IPVS scheduler not specified, use rr by default W0727 19:55:26.232522 1 proxier.go:420] IPVS scheduler not specified, use rr by default W0727 19:55:26.232538 1 ipset.go:107] ipset name truncated; [KUBE-6-LOAD-BALANCER-SOURCE-CIDR] -> [KUBE-6-LOAD-BALANCER-SOURCE-CID] W0727 19:55:26.232546 1 ipset.go:107] ipset name truncated; [KUBE-6-NODE-PORT-LOCAL-SCTP-HASH] -> [KUBE-6-NODE-PORT-LOCAL-SCTP-HAS] I0727 19:55:26.232648 1 server.go:571] Version: v1.17.0 I0727 19:55:26.232963 1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072 F0727 19:55:26.232982 1 server.go:485] open /proc/sys/net/netfilter/nf_conntrack_max: permission denied See kubernetes-sigs/kind#2240 and kubernetes-sigs/kind#2241.
For kube-proxy not becoming ready, like this: semaphore@semaphore-vm:~$ kubectl logs kube-proxy-42v55 -n kube-system I0727 19:55:26.230888 1 node.go:135] Successfully retrieved node IP: 172.17.0.2 I0727 19:55:26.230923 1 server_others.go:172] Using ipvs Proxier. I0727 19:55:26.230930 1 server_others.go:174] creating dualStackProxier for ipvs. W0727 19:55:26.232364 1 proxier.go:420] IPVS scheduler not specified, use rr by default W0727 19:55:26.232522 1 proxier.go:420] IPVS scheduler not specified, use rr by default W0727 19:55:26.232538 1 ipset.go:107] ipset name truncated; [KUBE-6-LOAD-BALANCER-SOURCE-CIDR] -> [KUBE-6-LOAD-BALANCER-SOURCE-CID] W0727 19:55:26.232546 1 ipset.go:107] ipset name truncated; [KUBE-6-NODE-PORT-LOCAL-SCTP-HASH] -> [KUBE-6-NODE-PORT-LOCAL-SCTP-HAS] I0727 19:55:26.232648 1 server.go:571] Version: v1.17.0 I0727 19:55:26.232963 1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072 F0727 19:55:26.232982 1 server.go:485] open /proc/sys/net/netfilter/nf_conntrack_max: permission denied See kubernetes-sigs/kind#2240 and kubernetes-sigs/kind#2241.
It seems the kernel doesn't allow to set some conntrack fields
from non-init netns:
netfilter: conntrack: Make global sysctls readonly in non-init netns
torvalds/linux@671c54e
By default kube-proxy tries to set them, hence failing and the pods
crashlooping.
We can configure kube-proxy to net try to set these values in kubeadm.
Fixes: #2240