Red Hat Bugzilla – Bug 1290923
Ceph documentation should tell users to increase netfilter conntrack limits to prevent network issues
Last modified: 2016-03-01 03:22:31 EST
Description of problem:
Recently customers have been encountering a situation where nf_conntrack modules were loading and causing packets to drop with:
nf_conntrack: table full, dropping packet
visible in logs.
Documentation does not suggest blacklisting nf_conntrack modules to prevent this behavior which can result in the above behavior and networking problems down the road for a cluster.
Documentation should suggest blacklisting the conntrack modules in the Pre-Installation portion of the Installation guide documentation:
Creating a file named /etc/modprobe.d/conntrack.conf and adding the following lines:
should do the trick, but a reboot will be required. Also, note that running any form of iptables rules may re-enable the conntrack modules.
Can you please respond to the query asked in Comment 6 and Comment 7.
Also in Redhat Installation guide:
I don't see the Note Section:
+NOTE: Running any form of the `iptables` rules can enable the `nf-conntrack`
+modules again. Make sure to blacklist the modules before changing the
But in Ubuntu its present.
Marking this as verified.
We might need to change this recommendation; discussion in bug 1304004
What does the Ceph traffic look like which triggers this? Maybe there is a better way to avoid state table exhaustion rather than disabling the stateful firewall completely.
*** Bug 1304004 has been marked as a duplicate of this bug. ***