Merge pull request #1171 from KubeKyrie/fix-enable-sysctl-tuning

Add playbook to enable nf_conntrack
kubean-io · Mar 20, 2024 · 8d351fc · 8d351fc
2 parents 6e36358 + f0737a0
commit 8d351fc
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/pkg/util/entrypoint/entrypoint.go b/pkg/util/entrypoint/entrypoint.go
@@ -35,6 +35,7 @@ const (
 	RenewCertsPB             = "renew-certs.yml"
 	KubeVipConfigPB          = "config-for-kube-vip.yml"
 	ConfigInsecureRegistryPB = "config-insecure-registry.yml"
+	NfConntrackPB            = "enable-nf-conntrack.yml"
 )
 
 //go:embed entrypoint.sh.template
@@ -61,7 +62,7 @@ func NewActions() *Actions {
 	actions.Playbooks.List = []string{
 		ResetPB, ScalePB, ClusterPB, RemoveNodePB, UpgradeClusterPB,
 		PingPB, RepoPB, FirewallPB, KubeconfigPB, ClusterInfoPB, UpdateHostsPB,
-		RemovePkgsPB, PreCheckPB, RenewCertsPB, KubeVipConfigPB, ConfigInsecureRegistryPB,
+		RemovePkgsPB, PreCheckPB, RenewCertsPB, KubeVipConfigPB, ConfigInsecureRegistryPB, NfConntrackPB,
 	}
 	actions.Playbooks.Dict = map[string]void{}
 	for _, pbItem := range actions.Playbooks.List {

diff --git a/playbooks/enable-nf-conntrack.yml b/playbooks/enable-nf-conntrack.yml
@@ -0,0 +1,35 @@
+# Copyright 2023 Authors of kubean-io
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Enable nf_conntrack kernel module
+  hosts: all
+  become: true
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  tasks:
+    - name: Check OS and enable nf_conntrack
+      command: lsmod | grep nf_conntrack
+      register: nf_conntrack_check
+      ignore_errors: true
+
+    - name: Enable nf_conntrack for non-RedHat8/Rocky OS
+      command: modprobe nf_conntrack
+      when:
+        - ansible_distribution != "Rocky" or (ansible_distribution == "RedHat" and ansible_distribution_major_version != "8")
+        - nf_conntrack_check.rc != 0
+
+    - name: Persist nf_conntrack configuration
+      when:
+        - ansible_distribution != "Rocky" or (ansible_distribution == "RedHat" and ansible_distribution_major_version != "8")
+        - nf_conntrack_check.rc != 0
+      block:
+        - name: Ensure nf_conntrack configuration file exists
+          file:
+            path: /etc/modules-load.d/nf_conntrack.conf
+            state: touch
+            mode: "0644"
+        - name: Add nf_conntrack to configuration file
+          lineinfile:
+            path: /etc/modules-load.d/nf_conntrack.conf
+            line: "nf_conntrack"
+            state: present