fix: ensure nf_conntrack module loaded for kubelite. #4705
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This patch ensures that the
nf_conntrack
kernel module is loaded beforekubelite
is started as the ProxyServer needs to read some conntrack module-related params from procfs.Closes #4462
Changes
By explicitly loading
nf_conntrack
before startingkubelite
, it should ensure the procfs values that the ProxyServer reads are always present on startup.Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways
nf_conntrack
gets loaded transparently:iptable_nat
after a small startup delay, whose dependency tree includesnf_conntrack
Testing
I've written a trivial eBPF probe to monitor whenever a process loads a kernel module, and validated that:
nf_conntrack
modulerun-kubelite-with-args
script would load it itselfDeployment
worked as expectedPossible Regressions
Only the minute risk that the
nf_conntrack
module (which is very widely distributed and used) might not be installed on the host system.Checklist
*** it's technically implicitly covered since the LXD profile used for integration tests includes
nf_nat
, which depends onnf_conntrack
and thus cause it to be loaded, but there is no "negative test" where we intentionally deny its loading.