[pve-devel] applied: [PATCH ceph quincy-stable-8 2/3] fix #5213: ceph-osd postinst: add patch to avoid connection freezes

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Feb 15 14:17:17 CET 2024

Am 15/02/2024 um 10:40 schrieb Friedrich Weber:
> Assume there is an open TCP connection to a VM, and ceph-osd is
> installed/upgraded on the host on which the PVE firewall is active.
> Currently, ceph-osd postinst reloads all sysctl settings. Thus,
> installing/upgrading ceph-osd will set the sysctl setting
> `net.bridge.bridge-nf-call-iptables` to 0. The PVE firewall will flip
> the setting back to 1 in its next iteration (in <10 seconds). But
> while the setting is 0, conntrack will not see packets of the existing
> TCP connection. When the setting is flipped back to 1, conntrack will
> see packets again, but may consider the seq/ack numbers of new packets
> out-of-window, mark them as invalid and drop them. This will freeze
> the TCP connection.
> To avoid this, add a patch that modifies the ceph-osd postinst to only
> apply settings from the sysctl settings file shipped with ceph-osd,
> and only apply them on fresh install. As the ceph-osd sysctl settings
> do not set `net.bridge.bridge-nf-call-iptables`, this will avoid the
> temporary flip to 0 when installing/upgrading ceph-osd.
> Signed-off-by: Friedrich Weber <f.weber at proxmox.com>
> ---
>  ...t-avoid-reloading-all-sysctl-setting.patch | 47 +++++++++++++++++++
>  patches/series                                |  1 +
>  2 files changed, 48 insertions(+)
>  create mode 100644 patches/0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch

applied, same holds as replied to patch 1/3, but for quincy I'd not
bother changing such things much at this stage of its lifecycle, thanks!

More information about the pve-devel mailing list