[CPDEV-50513] Add nf_conntrack_max and NetworkManager config recommen…

…ded for calico (#546) * Add nf_conntrack_max and NetworkManager config recommended for calico * add set_sysctl_variables patch * add set_sysctl_variables patch --------- Co-authored-by: oshift_cluster <[email protected]>
Netcracker · Nov 17, 2023 · aa8aec1 · aa8aec1
1 parent 6e34dfc
commit aa8aec1
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 0 deletions.
diff --git a/documentation/Installation.md b/documentation/Installation.md
@@ -209,6 +209,13 @@ The actual information about the supported versions can be found in `compatibili
 **Warning**: `Kubemarine` works only with `firewalld` as an IP firewall, and switches it off during the installation.
 If you have other solution, remove or switch off the IP firewall before the installation.
 
+* In case of NetworkManager usage at the control-plane and/or worker nodes, create the following configuration file at `/etc/NetworkManager/conf.d/calico.conf` to prevent NetworkManager from interfering with the interfaces being created by Calico:
+
+```conf
+[keyfile]
+unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:vxlan-v6.calico
+```
+
 **Preinstalled software**
 
 * Installation of the following packages is highly recommended; however, Kubernetes can work without them, but may show warnings:
@@ -2522,6 +2529,7 @@ The `services.sysctl` section manages the Linux Kernel parameters for all hosts
 |net.bridge.bridge-nf-call-ip6tables|1|Presented only when IPv6 detected in node IP|
 |net.ipv6.conf.all.forwarding|1|Presented only when IPv6 detected in node IP|
 |net.ipv6.ip_nonlocal_bind|1|Presented only when IPv6 detected in node IP|
+|net.netfilter.nf_conntrack_max|1000000||
 |kernel.panic|10||
 |vm.overcommit_memory|1||
 |kernel.panic_on_oops|1||

diff --git a/kubemarine/patches/__init__.py b/kubemarine/patches/__init__.py
@@ -23,10 +23,12 @@
 
 from kubemarine.core.patch import Patch
 from kubemarine.patches.p0_bind_vrrp_ips_interfaces import FixVRRP_IPsInterfaces
+from kubemarine.patches.p1_set_sysctl_variables import SetSysctlVariables
 
 patches: List[Patch] = [
     # FixVRRP_IPsInterfaces should be the first RegularPatch.
     FixVRRP_IPsInterfaces(),
+    SetSysctlVariables(),
 ]
 """
 List of patches that is sorted according to the Patch.priority() before execution.

diff --git a/kubemarine/patches/p1_set_sysctl_variables.py b/kubemarine/patches/p1_set_sysctl_variables.py
@@ -0,0 +1,34 @@
+from textwrap import dedent
+
+from kubemarine.core.action import Action
+from kubemarine.core.patch import RegularPatch
+from kubemarine.core.resources import DynamicResources
+from kubemarine import sysctl
+
+class TheAction(Action):
+    def __init__(self) -> None:
+        super().__init__("Set sysctl variables")
+
+    def run(self, res: DynamicResources) -> None:
+        cluster = res.cluster()
+
+        node_group = cluster.make_group_from_roles(['all'])
+        node_group.call(sysctl.configure)
+        node_group.call(sysctl.reload)
+
+
+class SetSysctlVariables(RegularPatch):
+    def __init__(self) -> None:
+        super().__init__("set_sysctl_variables")
+
+    @property
+    def action(self) -> Action:
+        return TheAction()
+
+    @property
+    def description(self) -> str:
+        return dedent(
+            f"""\
+            This patch sets kernel variables with sysctl at the control-plane, worker nodes according to the new defaults.
+            """.rstrip()
+        )
diff --git a/kubemarine/resources/configurations/defaults.yaml b/kubemarine/resources/configurations/defaults.yaml
@@ -180,6 +180,7 @@ services:
     net.bridge.bridge-nf-call-ip6tables: '{% if not nodes[0]["internal_address"]|isipv4 %}1{% endif %}'
     net.ipv6.conf.all.forwarding: '{% if not nodes[0]["internal_address"]|isipv4 %}1{% endif %}'
     net.ipv6.ip_nonlocal_bind: '{% if not nodes[0]["internal_address"]|isipv4 %}1{% endif %}'
+    net.netfilter.nf_conntrack_max: 1000000
     kernel.panic: 10
     vm.overcommit_memory: 1
     kernel.panic_on_oops: 1