starlingx/integ
Code Issues Proposed changes
integ/base/initscripts-config/files/sysctl.conf
Sun Austin 171c43dca8 Fix Periodic message loss between VIM and Openstack REST APIs 
set net.ipv4.tcp_tw_recycle=1 to avoid dnat conntrack invalid

The probe connection action before going to time_wait state.
Probe connection
controller               pod        TCP FLAG      SEQ           ACK
controller:50538 ---> endpoint:9292     SYN       2707980036       0
controller:50538 <--- endpoint:9292   SYN ACK     1599414185
2707980037
controller:50538 ---> endpoint:9292     ACK       2707980037
1599414186
controller:50538 ---> endpoint:9292   FIN ACK     2707980037
1599414186
controller:50538 <--- endpoint:9292     ACK       1599414186
2707980038
controller:50538 <--- endpoint:9292   FIN ACK     1599414186
2707980038
controller:50538 ---> endpoint:9292     ACK       2707980038
1599414187

And for the curl command connection with same port 50538: it will be
like
controller              pod          TCP FLAG         SEQ          ACK
controller:50538 -->  service:9292     SYN        2917708674        0
controller:50538 --> endpoint:9292     SYN        2917708674        0
controller:24479 <-- endpoint:9292   SYN ACK      2742336307
2917708675
controller:50538 <-- endpoint:9292   SYN ACK      2742336307
2917708675
controller:50538 -->  service:9292     ACK        2707980038
1599414187
controller:50538 -->  service:9292     ACK        2707980038
1599414187
controller:50538 -->  service:9292     ACK(DROP)  2707980038
1599414187

The last ACK(controller:50538-->service:9292) SEQ and ACK is same as
Probe TIME_WAIT latest ACK’s.
from
https://github.com/torvalds/linux/blob/v3.10/net/ipv4/tcp_ipv4.c#L2002 ,
it only check (des ip , des port, src ip, and src port).Because this is
not
 a correct SEQ/ACK , then it is set invalid and then dropped.

If enabling tcp_tw_recycle, the previous socket should be already
closed, then the issue should be gone.

Closes-Bug: 1817936

Change-Id: If6e66d85f08fc99022946fd2e9f4e5756bfb7b2f
Signed-off-by: Sun Austin <austin.sun@intel.com>
2019-08-26 08:06:29 +08:00

88 lines
2.8 KiB
Plaintext
Raw Blame History

# This configuration file is taken from Debian.
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
kernel.printk = 4 4 1 7
# Reboot X seconds after a kernel panic
kernel.panic = 5
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
#kernel.shmmax = 141762560
# Limit local port range
net.ipv4.ip_local_port_range = 49216 61000
net.ipv4.tcp_tw_reuse = 1
# Fix https://bugs.launchpad.net/starlingx/+bug/1817936
net.ipv4.tcp_tw_recycle = 1
# WRL
# set max socket memory ; default was 212992
net.core.rmem_max=425984
# WRS
# The following kernel parameters help alleviate some RabbitMQ
# connection issues. These values need to be set here to ensure sysinv-agent
# remains connected to rabbitmq. Sysinv-agent starts before packstack and the
# long default values allowed the connection to be lost for 2 hours.
# Note the ipv4 vlaues are also applied to ipv6 connections.
net.ipv4.tcp_keepalive_intvl = 1
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_time = 5
View Git Blame Copy Permalink