On Mon, 7 Jan 2019 at 17:08, Clark Boylan <cboylan@sapwetik.org> wrote:
On Mon, Jan 7, 2019, at 8:48 AM, Julia Kreger wrote:
Thanks for bringing this up Derek! Comments below.
On Mon, Jan 7, 2019 at 8:30 AM Derek Higgins <derekh@redhat.com> wrote:
Hi All,
Shortly before the holidays CI jobs moved from xenial to bionic, for Ironic this meant a bunch failures[1], all have now been dealt with, with the exception of the UEFI job. It turns out that during this job our (virtual) baremetal nodes use tftp to download a ipxe image. In order to track these tftp connections we have been making use of the fact that nf_conntrack_helper has been enabled by default. In newer kernel versions[2] this is no longer the case and I'm now trying to figure out the best way to deal with the new behaviour. I've put together some possible solutions along with some details on why they are not ideal and would appreciate some opinions
The git commit message suggests that users should explicitly put in rules such that the traffic is matched. I feel like the kernel change ends up being a behavior change in this case.
I think the reasonable path forward is to have a configuration parameter that the l3 agent can use to determine to set the netfilter connection tracker helper.
Doing so, allows us to raise this behavior change to operators minimizing the need of them having to troubleshoot it in production, and gives them a choice in the direction that they wish to take.
https://home.regit.org/netfilter-en/secure-use-of-helpers/ seems to cover this. Basically you should explicitly enable specific helpers when you need them rather than relying on the auto helper rules.
Thanks, I forgot to point out the option of adding these rules, If I understand it correctly they would need to be added inside the router namespace when neutron creates it, somebody from neutron might be able to indicate if this is a workable solution.
Maybe even avoid the configuration option entirely if ironic and neutron can set the required helper for tftp when tftp is used?
[trim]
[more trimming]