Skip to content

conntrack not found by lxc container with module enabled #13

New issue
New issue
Open
Open
conntrack not found by lxc container with module enabled#13
@nwithers-ecr

Description

@nwithers-ecr
nwithers-ecr
opened on Feb 12, 2022

I'm following Kubernetes the hard way and made it all the way to configuring the worker nodes: https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#start-the-worker-services
At this point, the kube-proxy service fails because

5286 server.go:489] open /proc/sys/net/netfilter/nf_conntrack_max: no such file or directory

which led me to your guide here.
I have added

config:
  linux.kernel_modules: xt_conntrack, nf_conntrack

to my worker node, and conntrack -L yields output.
On the host machine I can ls /proc/sys/net/netfilter/nf_conntrack_max and the file is there.

And yet the kube-proxy service still fails because it cannot find this file. Any advice?

edit: on the worker node this is lsmod | grep conntrack output

root@worker-0:~# lsmod | grep conntrack
nf_conntrack_netlink    45056  0
nfnetlink              16384  10 nf_conntrack_netlink,nf_tables
xt_conntrack           16384  28
nf_conntrack          139264  5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_conntrack,nf_nat
x_tables               40960  24 ebtables,ip6table_filter,xt_conntrack,iptable_filter,xt_LOG,xt_multiport,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,ip6t_rt,xt_comment,ip6_tables,ipt_REJECT,ipt_rpfilter,iptable_raw,ip_tables,xt_limit,xt_hl,ip6table_mangle,xt_MASQUERADE,ip6t_REJECT,iptable_mangle,xt_mark

I've tried editing the systemd unit file for kube-proxy to include --conntrack-max-per-core=0 which according to the kube-proxy binary, should disable setting the conntrack value,

root@worker-1:~# kube-proxy --help | grep conntrack
      --conntrack-max-per-core int32                 Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min). (default 32768)
      --conntrack-min int32                          Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is). (default 131072)

but this setting seems to be ignored and it tried to write to the file anyway.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions