On 4/2/22 03:33, Vasily Averin wrote:
Pablo, Florian, There is an old issue with conntrack limit on multi-netns (read container) nodes. Any connection to containers hosted on the node creates a conntrack in init_netns. If the number of conntrack in init_netns reaches the limit, the whole node becomes unavailable.
Can you describe network topology ? Are you using macvlan, ipvlan, or something else ?
To avoid it OpenVz had special patches disabled conntracks on init_ns on openvz nodes, but this automatically limits the functionality of host's firewall. This has been our specific pain for many years, however, containers are now being used much more widely than before, and the severity of the described problem is growing more and more. Do you know perhaps some alternative solution? Thank you, Vasily Averin
