Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

conntrack not found by lxc container with module enabled #13

Open
nwithers-ecr opened this issue Feb 12, 2022 · 0 comments
Open

conntrack not found by lxc container with module enabled #13

nwithers-ecr opened this issue Feb 12, 2022 · 0 comments

Comments

@nwithers-ecr
Copy link

nwithers-ecr commented Feb 12, 2022

I'm following Kubernetes the hard way and made it all the way to configuring the worker nodes: https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#start-the-worker-services
At this point, the kube-proxy service fails because

5286 server.go:489] open /proc/sys/net/netfilter/nf_conntrack_max: no such file or directory

which led me to your guide here.
I have added

config:
  linux.kernel_modules: xt_conntrack, nf_conntrack

to my worker node, and conntrack -L yields output.
On the host machine I can ls /proc/sys/net/netfilter/nf_conntrack_max and the file is there.

And yet the kube-proxy service still fails because it cannot find this file. Any advice?

edit: on the worker node this is lsmod | grep conntrack output

root@worker-0:~# lsmod | grep conntrack
nf_conntrack_netlink    45056  0
nfnetlink              16384  10 nf_conntrack_netlink,nf_tables
xt_conntrack           16384  28
nf_conntrack          139264  5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_conntrack,nf_nat
x_tables               40960  24 ebtables,ip6table_filter,xt_conntrack,iptable_filter,xt_LOG,xt_multiport,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,ip6t_rt,xt_comment,ip6_tables,ipt_REJECT,ipt_rpfilter,iptable_raw,ip_tables,xt_limit,xt_hl,ip6table_mangle,xt_MASQUERADE,ip6t_REJECT,iptable_mangle,xt_mark

I've tried editing the systemd unit file for kube-proxy to include --conntrack-max-per-core=0 which according to the kube-proxy binary, should disable setting the conntrack value,

root@worker-1:~# kube-proxy --help | grep conntrack
      --conntrack-max-per-core int32                 Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min). (default 32768)
      --conntrack-min int32                          Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is). (default 131072)

but this setting seems to be ignored and it tried to write to the file anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant