Enable nf_conntrack_tcp_be_liberal for Ubuntu 22.04 until kernel update

[ritchxu]

Description

Azure's latest Ubuntu 22.04 image is lacking a kernel fix torvalds/linux@6e250dc.

GitHub Actions' ubuntu-22.04 image is built upon Azure's base image. Without the fix, when customers' workflows upload large-size artifacts to remote servers and remote server fell behind in responding with ACK TCP packets, the delayed ACK packets are counted as INVALID because they are out of the TCP window, leading to the client kernel panic and responding with RST. This results in the intermittent connection reset symptom that has been reported by multiple customers¹²³⁴.

With permission, a more detailed analysis/history can be seen here.

Solution

Until the base image is updated to include the kernel fix, this PR proposes to enable the nf_conntrack_tcp_be_liberal kernel flag⁵. As a result, only out-of-window RST segments will be marked as INVALID while out-of-window ACK packets will be allowed.

Check list

• Related issue / work item is attached
• Tests are written (if applicable)
• Documentation is updated (if applicable)
• Changes are tested and related VM images are successfully generated

Footnotes

1. https://github.com/github/c2c-actions-support/issues/2441 ↩

2. https://github.com/github/c2c-actions-support/issues/2461 ↩

3. https://github.com/github/c2c-package-registry/issues/6891 ↩

4. https://github.com/github/c2c-package-registry/issues/7013 ↩

5. https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt ↩

[mikhailkoliada]

@ritchxu we should really move it somewhere else and modify sysctl.conf. Your changes only modify /proc, and all the changes will be lost after a machine reboot happens (which we do a lot during deployment too)

[ritchxu]

@ritchxu we should really move it somewhere else and modify sysctl.conf. Your changes only modify /proc, and all the changes will be lost after a machine reboot happens (which we do a lot during deployment too)

Thanks @mikhailkoliada do you have an effective way of persisting sysctl parameters? I have yet to find a good way:

ritchxu@RUIX-DESKTOP:~$ cat /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
0
ritchxu@RUIX-DESKTOP:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=1
[sudo] password for ritchxu:
net.netfilter.nf_conntrack_tcp_be_liberal = 1
ritchxu@RUIX-DESKTOP:~$ sudo sysctl -p
ritchxu@RUIX-DESKTOP:~$ cat /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
1
ritchxu@RUIX-DESKTOP:~$
[process exited with code 1 (0x00000001)]
You can now close this terminal with Ctrl+D, or press Enter to restart.
ritchxu@RUIX-DESKTOP:~$ cat /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
0

[vpolikarpov-akvelon]

Hey @ritchxu. There is a couple of sysctl adjustments for linux runner image here: https://github.com/actions/runner-images/blob/main/images/linux/scripts/installers/configure-environment.sh#L31-L37. You may try adding new flag the same way.

[ritchxu]

Hey @ritchxu. There is a couple of sysctl adjustments for linux runner image here: https://github.com/actions/runner-images/blob/main/images/linux/scripts/installers/configure-environment.sh#L31-L37. You may try adding new flag the same way.

I did notice that, but suspect the change wouldn't stick given my test in #7860 (comment), but let's give it a try 😄

[ritchxu]

Only temporary to verify if the net.netfilter.nf_conntrack_tcp_be_liberal change sticks after reboot.

[ritchxu]

The change didn't stick 😞 https://github.com/actions/runner-images/actions/runs/5556097720/jobs/10148164916?pr=7860#step:7:17962

==> azure-arm.build_vhd: Provisioning with shell script: /home/vsts/Agents/image-generation/_work/runner-images/runner-images/images/linux/scripts/base/reboot.sh
    azure-arm.build_vhd: Reboot VM
==> azure-arm.build_vhd: Provisioning with shell script: /tmp/packer-shell1639431296
    azure-arm.build_vhd: 0
    azure-arm.build_vhd: net.netfilter.nf_conntrack_tcp_be_liberal = 0

[vpolikarpov-akvelon]

Well, I found solution finally.

Occasionally, we can't set this value in sysctl.conf as it is applied when nf_conntrack module isn't loaded yet, so value "doesn't stick" indeed. This behavior was discussed here: https://bugzilla.redhat.com/show_bug.cgi?id=312481

Also I didn't found appropriate nf_conntrack module option for that so we can't set it using modprobe.d rules.

But I able to set it using udev rules. I created a file /etc/udev/rules.d/50-netfilter.rules with this content:

ACTION=="add", SUBSYSTEM=="module", KERNEL=="nf_conntrack", RUN+="/usr/sbin/sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1"

I'm not sure it's a good solution, but it works at least.

[ritchxu]

@vpolikarpov-akvelon Thanks for the suggestion 👍🏼. I've pushed a commit to try it out.

[vpolikarpov-akvelon]

Hey @ritchxu. Could you please merge or rebase you branch onto main?

[ritchxu]

Hey @ritchxu. Could you please merge or rebase you branch onto main?

Done 👍🏼

[vpolikarpov-akvelon]

Hey, @ritchxu. I'm really sorry, but there is a couple more of important patches that should be merged for tests to complete successfully. Could you please rebase once more?

[ritchxu]

Hey, @ritchxu. I'm really sorry, but there is a couple more of important patches that should be merged for tests to complete successfully. Could you please rebase once more?

No problem, it's done 👍🏼

[ritchxu]

@vpolikarpov-akvelon your workaround works! https://github.com/actions/runner-images/actions/runs/5624140452/job/15240333265?pr=7860#step:7:18196

    azure-arm.build_vhd: Reboot VM
==> azure-arm.build_vhd: Provisioning with shell script: /tmp/packer-shell1662180624
    azure-arm.build_vhd: 1
    azure-arm.build_vhd: net.netfilter.nf_conntrack_tcp_be_liberal = 1

I pushed another update to remove the temporary step that prints out ☝🏼. We should be good to go!