From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BD2B39171F for ; Thu, 15 Feb 2024 10:41:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A2B641036B for ; Thu, 15 Feb 2024 10:41:46 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 15 Feb 2024 10:41:45 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5B74D4273D for ; Thu, 15 Feb 2024 10:41:45 +0100 (CET) From: Friedrich Weber To: pve-devel@lists.proxmox.com Date: Thu, 15 Feb 2024 10:40:55 +0100 Message-Id: <20240215094056.66233-3-f.weber@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240215094056.66233-1-f.weber@proxmox.com> References: <20240215094056.66233-1-f.weber@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.085 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH ceph quincy-stable-8 2/3] fix #5213: ceph-osd postinst: add patch to avoid connection freezes X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2024 09:41:46 -0000 Assume there is an open TCP connection to a VM, and ceph-osd is installed/upgraded on the host on which the PVE firewall is active. Currently, ceph-osd postinst reloads all sysctl settings. Thus, installing/upgrading ceph-osd will set the sysctl setting `net.bridge.bridge-nf-call-iptables` to 0. The PVE firewall will flip the setting back to 1 in its next iteration (in <10 seconds). But while the setting is 0, conntrack will not see packets of the existing TCP connection. When the setting is flipped back to 1, conntrack will see packets again, but may consider the seq/ack numbers of new packets out-of-window, mark them as invalid and drop them. This will freeze the TCP connection. To avoid this, add a patch that modifies the ceph-osd postinst to only apply settings from the sysctl settings file shipped with ceph-osd, and only apply them on fresh install. As the ceph-osd sysctl settings do not set `net.bridge.bridge-nf-call-iptables`, this will avoid the temporary flip to 0 when installing/upgrading ceph-osd. Signed-off-by: Friedrich Weber --- ...t-avoid-reloading-all-sysctl-setting.patch | 47 +++++++++++++++++++ patches/series | 1 + 2 files changed, 48 insertions(+) create mode 100644 patches/0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch diff --git a/patches/0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch b/patches/0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch new file mode 100644 index 000000000..947175605 --- /dev/null +++ b/patches/0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch @@ -0,0 +1,47 @@ +From 232b1fa3210a56354b27f9c6154819307412b91c Mon Sep 17 00:00:00 2001 +From: Friedrich Weber +Date: Thu, 8 Feb 2024 16:20:08 +0100 +Subject: [PATCH] ceph-osd postinst: do not always reload all sysctl settings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ceph-osd installs a /etc/sysctl.d/30-ceph-osd.conf with custom sysctl +settings. Currently, in order to apply them, ceph-osd postinst always +restarts procps. However, this triggers a reload of *all* sysctl +settings when installing or upgrading the ceph-osd package. This may +needlessly reset unrelated settings manually changed by the user. + +To avoid this, invoke /lib/systemd/systemd-sysctl manually to apply +the custom sysctl settings only, and only do so on fresh installs of +the package. + +If 30-ceph-osd.conf is changed in the future, the ceph-osd postinst +will need to be adjusted to apply the sysctl settings on upgrade too. + +Suggested-by: Fabian Grünbichler +Signed-off-by: Friedrich Weber +--- + debian/ceph-osd.postinst | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/debian/ceph-osd.postinst b/debian/ceph-osd.postinst +index 04e33b8601f..2bcd8d4dcb4 100644 +--- a/debian/ceph-osd.postinst ++++ b/debian/ceph-osd.postinst +@@ -24,7 +24,11 @@ set -e + + case "$1" in + configure) +- [ -x /etc/init.d/procps ] && invoke-rc.d procps restart || : ++ # apply (only) new parameters, but only on fresh install ++ if [ -z "$2" ]; then ++ /lib/systemd/systemd-sysctl /etc/sysctl.d/30-ceph-osd.conf \ ++ >/dev/null || : ++ fi + [ -x /sbin/start ] && start ceph-osd-all || : + ;; + abort-upgrade|abort-remove|abort-deconfigure) +-- +2.39.2 + diff --git a/patches/series b/patches/series index ee897a78a..30fc83ec0 100644 --- a/patches/series +++ b/patches/series @@ -16,3 +16,4 @@ 0021-backport-mgr-dashboard-simplify-authentication-proto.patch 0022-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch 0023-rocksb-inherit-parent-cmake-cxx-flags.patch +0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch -- 2.39.2