Le 05/06/2024 à 20:41, Pablo Neira Ayuso a écrit :
On Wed, Jun 05, 2024 at 11:09:31AM +0200, Nicolas Dichtel wrote:
Le 05/06/2024 à 10:55, Florian Westphal a écrit :
Nicolas Dichtel nicolas.dichtel@6wind.com wrote:
Since the below commit, there are regressions for legacy setups: 1/ conntracks are created while there are no listener 2/ a listener starts and dumps all conntracks to get the current state 3/ conntracks deleted before the listener has started are not advertised
This is problematic in containers, where conntracks could be created early. This sysctl is part of unsafe sysctl and could not be changed easily in some environments.
Let's switch back to the legacy behavior.
:-(
Would it be possible to resolve this for containers by setting the container default to 1 if init_net had it changed to 1 at netns creation time?
When we have access to the host, it is possible to allow the configuration of this (unsafe) sysctl for the pod. But there are cases where we don't have access to the host.
https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-con...
conntrack is enabled on-demand by the ruleset these days, such monitor process could be created _before_ the ruleset is loaded?
It's not so easy :) There are several modules in the system.
I understand it's "sad" to keep nf_conntrack_events=1, but this change breaks the backward compatibility. A container migrated to a host with a recent kernel is broken. Usually, in the networking stack, sysctl are added to keep the legacy behavior and enable new systems to use "modern" features. There are a lot of examples :)