[ironic][neutron] nf_conntrack_helper now disabled by default
derekh at redhat.com
Mon Jan 7 17:53:40 UTC 2019
On Mon, 7 Jan 2019 at 17:08, Clark Boylan <cboylan at sapwetik.org> wrote:
> On Mon, Jan 7, 2019, at 8:48 AM, Julia Kreger wrote:
> > Thanks for bringing this up Derek!
> > Comments below.
> > On Mon, Jan 7, 2019 at 8:30 AM Derek Higgins <derekh at redhat.com> wrote:
> > >
> > > Hi All,
> > >
> > > Shortly before the holidays CI jobs moved from xenial to bionic, for
> > > Ironic this meant a bunch failures, all have now been dealt with,
> > > with the exception of the UEFI job. It turns out that during this job
> > > our (virtual) baremetal nodes use tftp to download a ipxe image. In
> > > order to track these tftp connections we have been making use of the
> > > fact that nf_conntrack_helper has been enabled by default. In newer
> > > kernel versions this is no longer the case and I'm now trying to
> > > figure out the best way to deal with the new behaviour. I've put
> > > together some possible solutions along with some details on why they
> > > are not ideal and would appreciate some opinions
> > The git commit message suggests that users should explicitly put in rules such
> > that the traffic is matched. I feel like the kernel change ends up
> > being a behavior
> > change in this case.
> > I think the reasonable path forward is to have a configuration
> > parameter that the
> > l3 agent can use to determine to set the netfilter connection tracker helper.
> > Doing so, allows us to raise this behavior change to operators minimizing the
> > need of them having to troubleshoot it in production, and gives them a choice
> > in the direction that they wish to take.
> https://home.regit.org/netfilter-en/secure-use-of-helpers/ seems to cover this. Basically you should explicitly enable specific helpers when you need them rather than relying on the auto helper rules.
Thanks, I forgot to point out the option of adding these rules, If I
understand it correctly they would need to be added inside the router
namespace when neutron creates it, somebody from neutron might be able
to indicate if this is a workable solution.
> Maybe even avoid the configuration option entirely if ironic and neutron can set the required helper for tftp when tftp is used?
> > [trim]
> [more trimming]
More information about the openstack-discuss