Change Details

Not sure what's going on here: ```lang=shell-session aborrero@prometheus1003:~ $ curl cloudnet1003.eqiad.wmnet:9100/metrics | grep nf_conntrack # HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking. # TYPE node_nf_conntrack_entries gauge node_nf_conntrack_entries 0 [..] ``` The result is that some of our grafana panels show no useful information: https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?panelId=32&fullscreen&orgId=1 A quick check in the server suggest we might have problems indeed: ```lang=shell-session aborrero@cloudnet1003:~ $ sudo dmesg -T | tail [Sat Jul 4 15:35:48 2020] nf_conntrack: nf_conntrack: table full, dropping packet [Sat Jul 4 15:35:53 2020] nf_conntrack: nf_conntrack: table full, dropping packet [Sat Jul 4 15:57:29 2020] nf_conntrack: nf_conntrack: table full, dropping packet [..] ```

Not sure what's going on here: ```lang=shell-session aborrero@prometheus1003:~ $ curl cloudnet1003.eqiad.wmnet:9100/metrics | grep nf_conntrack # HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking. # TYPE node_nf_conntrack_entries gauge node_nf_conntrack_entries 0 [..] ``` The result is that some of our grafana panels show no useful information: https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?panelId=32&fullscreen&orgId=1 A quick check in the server suggest we might have problems indeed: ```lang=shell-session aborrero@cloudnet1003:~ $ sudo dmesg -T | tail [Sat Jul 4 15:35:48 2020] nf_conntrack: nf_conntrack: table full, dropping packet [Sat Jul 4 15:35:53 2020] nf_conntrack: nf_conntrack: table full, dropping packet [Sat Jul 4 15:57:29 2020] nf_conntrack: nf_conntrack: table full, dropping packet [..] ``` Actionables: [] improve how we manage the values using puppet. Puppet won't check the live values in the kernel, just in the filesystem (/etc/sysctl.d/) We need some logic to ensure the desired values are actually read by the running kernel [] namespace awareness. Neutron works in autogenerated namespaces. The `nf_conntrack_buckets` setting works for all namespaces. The `nf_conntrack_max` setting is per-namespace, but if not specified it will be computed using `nf_conntrack_buckets * 4`. [] introduce icinga checks and new prometheus metrics, with namespace awareness

Not sure what's going on here: ```lang=shell-session aborrero@prometheus1003:~ $ curl cloudnet1003.eqiad.wmnet:9100/metrics | grep nf_conntrack # HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking. # TYPE node_nf_conntrack_entries gauge node_nf_conntrack_entries 0 [..] ``` The result is that some of our grafana panels show no useful information: https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?panelId=32&fullscreen&orgId=1 A quick check in the server suggest we might have problems indeed: ```lang=shell-session aborrero@cloudnet1003:~ $ sudo dmesg -T | tail [Sat Jul 4 15:35:48 2020] nf_conntrack: nf_conntrack: table full, dropping packet [Sat Jul 4 15:35:53 2020] nf_conntrack: nf_conntrack: table full, dropping packet [Sat Jul 4 15:57:29 2020] nf_conntrack: nf_conntrack: table full, dropping packet [..] ``` Actionables: [] improve how we manage the values using puppet. Puppet won't check the live values in the kernel, just in the filesystem (/etc/sysctl.d/) We need some logic to ensure the desired values are actually read by the running kernel [] namespace awareness. Neutron works in autogenerated namespaces. The `nf_conntrack_buckets` setting works for all namespaces. The `nf_conntrack_max` setting is per-namespace, but if not specified it will be computed using `nf_conntrack_buckets * 4`. [] introduce icinga checks and new prometheus metrics, with namespace awareness