[SOLVED] Kernel parameters not loaded during boot from /etc/sysctl.d/*.conf

[cmonty14]

Hi,
I was getting this error in syslog:
nf_conntrack: nf_conntrack: table full, dropping packet

To solve this issue I found this:
CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (ARCH / 32)

Having Mellanox NIC installed on my server I followed the recommendation to improve performance.
This results in a new file /etc/sysctl.d/*.conf:
root@ld5505:~# more /etc/sysctl.d/20-mlnx.conf
###################################################################
# Performance Tuning Mellanox Adapters
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 250000
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.core.rmem_default = 4194304
net.core.wmem_default = 4194304
net.core.optmem_max = 4194304
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_adv_win_scale = 1
net.netfilter.nf_conntrack_max = 25165824

After booting the server I noticed that these kernel parameters are not loaded:
root@ld5505:~# sysctl --all | grep conntrack_max
net.netfilter.nf_conntrack_max = 262144
net.nf_conntrack_max = 262144

Instead I must run sysctl --system to activate all parameters:
root@ld5505:~# sysctl --system
* Applying /usr/lib/sysctl.d/10-pve-ct-inotify-limits.conf ...
fs.inotify.max_queued_events = 8388608
fs.inotify.max_user_instances = 65536
fs.inotify.max_user_watches = 4194304
* Applying /etc/sysctl.d/20-mlnx.conf ...
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 250000
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.core.rmem_default = 4194304
net.core.wmem_default = 4194304
net.core.optmem_max = 4194304
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_adv_win_scale = 1
net.netfilter.nf_conntrack_max = 25165824
* Applying /etc/sysctl.d/30-ceph-osd.conf ...
fs.aio-max-nr = 1048576
kernel.pid_max = 4194304
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/protect-links.conf ...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /usr/lib/sysctl.d/pve-firewall.conf ...
net.ipv4.conf.all.rp_filter = 2
* Applying /etc/sysctl.d/pve.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
fs.aio-max-nr = 1048576
* Applying /etc/sysctl.conf ...


Question:
Why are the kernel parameters not loaded during boot?

The required service is running:
root@ld5505:~# systemctl status systemd-sysctl.service
● systemd-sysctl.service - Apply Kernel Variables
Loaded: loaded (/lib/systemd/system/systemd-sysctl.service; static; vendor preset: enabled)
Active: active (exited) since Thu 2019-09-19 16:40:46 CEST; 30min ago
Docs: man:systemd-sysctl.service(8)
man:sysctl.d(5)
Main PID: 904 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 8601)
Memory: 0B
CGroup: /system.slice/systemd-sysctl.service


THX

 

[spirit]

for net.netfilter.nf_conntrack_max, this is because the sysctl entry only exist after the conntrack module is loaded.
and by default, it's loaded dynamically when you add an iptable rule with '-J ESTABLISHED'.

if you use proxmox firewall feature, you can tune directly conntrack_max in gui, on each host firewall options.

another way,is to force the load of conntrack module at boot

/etc/modules-load.d/nf_conntrack.conf
---------------------------------------------------------
nf_conntrack
nf_conntrack_ipv4
nf_conntrack_ipv6