Set net.netfilter.nf_conntrack_tcp_be_liberal=1
This is an attempt to fix issue with sporadic connection resets that leads to 504
errors. The related upstream issue: https://kubernetes.io/blog/2019/03/29/kube-proxy-subtleties-debugging-an-intermittent-connection-reset/
Related-Prod: PRODX-3551
Change-Id: I6d4773ad9b0e78eede7103342810f968623eae20
diff --git a/de/heat-templates/scripts/instance_boot.sh b/de/heat-templates/scripts/instance_boot.sh
index c53efdc..8bdc906 100644
--- a/de/heat-templates/scripts/instance_boot.sh
+++ b/de/heat-templates/scripts/instance_boot.sh
@@ -303,6 +303,15 @@
sysctl -p /etc/sysctl.d/99-disable-rp-filter.conf
}
+function configure_contrack {
+ cat << EOF > /etc/sysctl.d/100-contrackd.conf
+net.netfilter.nf_conntrack_log_invalid=255
+net.netfilter.nf_conntrack_tcp_be_liberal=1
+EOF
+
+ sysctl -p /etc/sysctl.d/100-contrackd.conf
+}
+
function network_config {
PUBLIC_NODE_IP_ADDRESS=${PUBLIC_INTERFACE_IP:-$(ip addr show dev ${PUBLIC_INTERFACE} | grep -Po 'inet \K[\d.]+' | egrep -v "127.0.|172.17")}
PUBLIC_NODE_IP_NETMASK=${PUBLIC_INTERFACE_NETMASK:-$(ip addr show dev ${PUBLIC_INTERFACE} | grep -Po 'inet \K[\d.]+\/[\d]+' | egrep -v "127.0.|172.17" | cut -d'/' -f2)}
@@ -397,6 +406,7 @@
wait_for_node
set_node_labels
collect_ceph_metadata
+ configure_contrack
;;
master)
prepare_metadata_files
@@ -414,6 +424,7 @@
wait_for_node
set_node_labels
collect_ceph_metadata
+ configure_contrack
;;
worker)
prepare_metadata_files
@@ -431,6 +442,7 @@
wait_for_node
set_node_labels
collect_ceph_metadata
+ configure_contrack
;;
spare)
prepare_metadata_files
@@ -443,6 +455,7 @@
install_docker
download_bundles
workaround_default_forward_policy
+ configure_contrack
;;
*)
echo "Usage: $0 {ucp|master|worker}"