On 4/2/22 20:12, Eric Dumazet wrote:
>
> On 4/2/22 03:33, Vasily Averin wrote:
>> Pablo, Florian,
>>
>> There is an old issue with conntrack limit on multi-netns (read container) nodes.
>>
>> Any connection to containers hosted on the node creates a conntrack in init_netns.
>> If the number of conntrack in init_netns reaches the limit, the whole node becomes
>> unavailable.
>
> Can you describe network topology ?
+= veth1 <=> veth container1
ethX <=> brX =+= veth2 <=> veth container2
+= vethX <=> veth containerX
> Are you using macvlan, ipvlan, or something else ?
No, we dod not used it earlier, because it was not available in RHEL7,
but now it looks like good solution for me.
Thank you for the hint,
Vasily Averin
