[WIP] Skip resize of nf_conntrack/parameters/hashsize if not necessary

[robertgzr]

What this PR does / why we need it:
Linux does not support writing to /sys/module/nf_conntrack/parameters/hashsize when the writer process is not in the initial network namespace
(https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796).

Usually that's fine. But in some configurations such as with https://github.com/kinvolk/kubeadm-nspawn, kube-proxy is in another netns.

Therefore, check if writing in hashsize is necessary and skip the writing if not.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-reviewable]

This change is 

[k8s-ci-robot]

Hi @robertgzr. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[robertgzr]

/cc @alban @nhlfr

[thockin]

How does kube-proxy even work in a different netns? It manipulates iptables rules that are assumed to be system-wide.

…

On Apr 26, 2017 6:27 PM, "Mike Danese" ***@***.***> wrote: Assigned #44919 <#44919> to @thockin <https://github.com/thockin>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#44919 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVP7m140IwwzcTv9fv3Ng75WBOvDDks5rz-8CgaJpZM4NHhM9> .

[mikedanese]

From linked GitHub project, looks like this is for simulating multinode during local development.

[nhlfr]

@thockin From what I know, the kube-proxy's iptables rules work well inside netns - under the condition that this netns is used for simutating a node, not for isolation of kube-proxy process from the other k8s components.

@sttts @ivan4th did you have any problems with iptables in dind? Or with anything else than nf_conntrack hashsize?

[robertgzr]

@thockin what @nhlfr said ^

$ kubectl --kubeconfig ./kubeadm-nspawn-0/etc/kubernetes/admin.conf get nodes
NAME               STATUS    AGE
kubeadm-nspawn-0   Ready     4m
kubeadm-nspawn-1   Ready     4m

$ kubectl --kubeconfig ./kubeadm-nspawn-0/etc/kubernetes/admin.conf -n kube-system logs kube-proxy-jl6wq
I0503 16:20:56.862763       1 server.go:230] Using iptables Proxier.
W0503 16:20:57.009737       1 proxier.go:347] clusterCIDR not specified, unable to distinguish between internal and external traffic
I0503 16:20:57.009782       1 server.go:255] Tearing down userspace rules.
I0503 16:20:57.076621       1 conntrack.go:98] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072
I0503 16:20:57.076701       1 conntrack.go:52] Setting nf_conntrack_max to 131072
I0503 16:20:57.076743       1 conntrack.go:98] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_established' to 86400
I0503 16:20:57.076814       1 config.go:119] Starting endpoints config controller
I0503 16:20:57.076890       1 conntrack.go:98] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_close_wait' to 3600
I0503 16:20:57.094501       1 config.go:236] Starting service config controller
I0503 16:20:57.128171       1 controller_utils.go:973] Waiting for caches to sync for service config controller
I0503 16:20:57.128243       1 controller_utils.go:973] Waiting for caches to sync for endpoints config controller
I0503 16:20:57.229268       1 controller_utils.go:980] Caches are synced for endpoints config controller
I0503 16:20:57.229648       1 controller_utils.go:980] Caches are synced for service config controller

[thockin]

/lgtm
/approve
@k8s-bot ok to test

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robertgzr, thockin

Needs approval from an approver in each of these OWNERS Files:

• cmd/OWNERS [thockin]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue