From f0737a01fe0ab4aea78a45e9a2c9661d5c5b3604 Mon Sep 17 00:00:00 2001
From: KubeKyrie <shaolong.qin@daocloud.io>
Date: Tue, 19 Mar 2024 15:34:00 +0800
Subject: [PATCH] add playbook: enable nf_conntrack

Signed-off-by: KubeKyrie <shaolong.qin@daocloud.io>
---
 pkg/util/entrypoint/entrypoint.go |  3 ++-
 playbooks/enable-nf-conntrack.yml | 35 +++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/enable-nf-conntrack.yml

diff --git a/pkg/util/entrypoint/entrypoint.go b/pkg/util/entrypoint/entrypoint.go
index 17877bc63..38c96611c 100644
--- a/pkg/util/entrypoint/entrypoint.go
+++ b/pkg/util/entrypoint/entrypoint.go
@@ -35,6 +35,7 @@ const (
 	RenewCertsPB             = "renew-certs.yml"
 	KubeVipConfigPB          = "config-for-kube-vip.yml"
 	ConfigInsecureRegistryPB = "config-insecure-registry.yml"
+	NfConntrackPB            = "enable-nf-conntrack.yml"
 )
 
 //go:embed entrypoint.sh.template
@@ -61,7 +62,7 @@ func NewActions() *Actions {
 	actions.Playbooks.List = []string{
 		ResetPB, ScalePB, ClusterPB, RemoveNodePB, UpgradeClusterPB,
 		PingPB, RepoPB, FirewallPB, KubeconfigPB, ClusterInfoPB, UpdateHostsPB,
-		RemovePkgsPB, PreCheckPB, RenewCertsPB, KubeVipConfigPB, ConfigInsecureRegistryPB,
+		RemovePkgsPB, PreCheckPB, RenewCertsPB, KubeVipConfigPB, ConfigInsecureRegistryPB, NfConntrackPB,
 	}
 	actions.Playbooks.Dict = map[string]void{}
 	for _, pbItem := range actions.Playbooks.List {
diff --git a/playbooks/enable-nf-conntrack.yml b/playbooks/enable-nf-conntrack.yml
new file mode 100644
index 000000000..efc64f95e
--- /dev/null
+++ b/playbooks/enable-nf-conntrack.yml
@@ -0,0 +1,35 @@
+# Copyright 2023 Authors of kubean-io
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Enable nf_conntrack kernel module
+  hosts: all
+  become: true
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  tasks:
+    - name: Check OS and enable nf_conntrack
+      command: lsmod | grep nf_conntrack
+      register: nf_conntrack_check
+      ignore_errors: true
+
+    - name: Enable nf_conntrack for non-RedHat8/Rocky OS
+      command: modprobe nf_conntrack
+      when:
+        - ansible_distribution != "Rocky" or (ansible_distribution == "RedHat" and ansible_distribution_major_version != "8")
+        - nf_conntrack_check.rc != 0
+
+    - name: Persist nf_conntrack configuration
+      when:
+        - ansible_distribution != "Rocky" or (ansible_distribution == "RedHat" and ansible_distribution_major_version != "8")
+        - nf_conntrack_check.rc != 0
+      block:
+        - name: Ensure nf_conntrack configuration file exists
+          file:
+            path: /etc/modules-load.d/nf_conntrack.conf
+            state: touch
+            mode: "0644"
+        - name: Add nf_conntrack to configuration file
+          lineinfile:
+            path: /etc/modules-load.d/nf_conntrack.conf
+            line: "nf_conntrack"
+            state: present