[ironic][neutron] nf_conntrack_helper now disabled by default

Derek Higgins derekh at redhat.com
Mon Jan 7 16:24:13 UTC 2019

Hi All,

Shortly before the holidays CI jobs moved from xenial to bionic, for
Ironic this meant a bunch failures[1], all have now been dealt with,
with the exception of the UEFI job. It turns out that during this job
our (virtual) baremetal nodes use tftp to download a ipxe image. In
order to track these tftp connections we have been making use of the
fact that nf_conntrack_helper has been enabled by default. In newer
kernel versions[2] this is no longer the case and I'm now trying to
figure out the best way to deal with the new behaviour. I've put
together some possible solutions along with some details on why they
are not ideal and would appreciate some opinions

1. Why not enable the conntrack helper with
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

The router namespace is still created with nf_conntrack_helper==0 as
it follows the default the nf_conntrack module was loaded with

2. Enable it in modprobe.d
# cat /etc/modprobe.d/conntrack.conf
options nf_conntrack nf_conntrack_helper=1

This works but requires the nf_conntrack module to be unloaded if it
has already been loaded, for devstack and I guess in the majority of
cases (including CI nodes) this means a reboot stage or a potentially
error prone sequence of stopping the firewall and unloading
nf_conntrack modules.

This also globally turns on the helper on the host reintroducing the
security concerns it comes with

3. Enable the contrack helper in the router network namespace when it
is created[3]
This works for ironic CI, but there may be better solutions that can
be worked within neutron that I'm not aware of. Of the 3 options above
this would be most transparent to other operators as the original
behaviour would be maintained.

thoughts on any of the above? or better solutions?

1 - https://storyboard.openstack.org/#!/story/2004604
2 - https://kernel.googlesource.com/pub/scm/linux/kernel/git/horms/ipvs-next/+/3bb398d925ec73e42b778cf823c8f4aecae359ea
3 - https://review.openstack.org/#/c/628493/1

More information about the openstack-discuss mailing list