fix: ensure nf_conntrack module loaded for kube-proxy.

This patch ensures that the `nf_conntrack` kernel module is loaded before the `kube-proxy` service is started so it can read some necessary conntrack module-related params from procfs. Previously, although the `kube-proxy` service always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways `nf_conntrack` gets loaded transparently: * Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368) after a small startup delay, whose dependency tree includes `nf_conntrack` * starting firewalld/ufw/most other firewall services * setting iptables/nftables rules which imply session tracking By explicitly loading `nf_conntrack` from the `kube-proxy` service wrapper directly, it should ensure the procfs values kube-proxy reads are always present on startup. Signed-off-by: Nashwan Azhari <[email protected]>
canonical · Oct 16, 2024 · a75d972 · a75d972
1 parent c618f09
commit a75d972
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 1 deletion.
diff --git a/build-scripts/patches/strict/0001-Strict-patch.patch b/build-scripts/patches/strict/0001-Strict-patch.patch
@@ -257,6 +257,15 @@ index 54b5fc0b..01631684 100644
 +      load: "on-boot"
 +    - name: xt_socket
 +      load: "on-boot"
++  # Kube-proxy reads some values related to the nf_conntrack module
++  # from procfs on startup, so we must ensure it's loaded.
++  # Note that the 'iptable_nat' module which is automatically loaded
++  # by Cilium would load 'nf_conntrack' as a dependency anyway,
++  # but we add a separate explicit entry for it for safety.
++  conntrack-module-load:
++    interface: kernel-module-load
++    - name: nf_conntrack
++      load: "on-boot"
 +
 +hooks:
 +  remove:

diff --git a/k8s/lib.sh b/k8s/lib.sh
@@ -177,3 +177,11 @@ k8s::kubelet::ensure_shared_root_dir() {
     mount -o remount --make-rshared "$SNAP_COMMON/var/lib/kubelet" /var/lib/kubelet
   fi
 }
+
+# Loads the kernel module names given as arguments
+# Example: 'k8s::util::load_kernel_modules mod1 mod2 mod3'
+k8s::util::load_kernel_modules() {
+  k8s::common::setup_env
+
+  modprobe $@
+}
diff --git a/k8s/wrappers/services/kube-proxy b/k8s/wrappers/services/kube-proxy
@@ -3,4 +3,10 @@
 . "$SNAP/k8s/lib.sh"
 
 k8s::util::wait_kube_apiserver
+
+# NOTE: kube-proxy reads some values related to the `nf_conntrack`
+# module from procfs on startup, so we must ensure it's loaded:
+# https://github.com/canonical/k8s-snap/issues/626
+k8s::util::load_kernel_modules nf_conntrack
+
 k8s::common::execute_service kube-proxy
diff --git a/tests/integration/lxd-profile.yaml b/tests/integration/lxd-profile.yaml
@@ -1,6 +1,6 @@
 description: "LXD profile for Canonical Kubernetes"
 config:
-  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,iptable_raw,netlink_diag,nf_nat,overlay,br_netfilter,xt_socket
+  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,iptable_raw,netlink_diag,nf_nat,overlay,br_netfilter,xt_socket,nf_conntrack
   raw.lxc: |
     lxc.apparmor.profile=unconfined
     lxc.mount.auto=proc:rw sys:rw cgroup:rw