Enable nf_conntrack kernel module on Rocky 9

rifelpet · rifelpet · commit e996e7ef1627 · 2026-02-16T09:33:12.000-06:00
diff --git a/upup/pkg/fi/nodeup/command.go b/upup/pkg/fi/nodeup/command.go
@@ -290,7 +290,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 		}
 	}
 
-	if err := loadKernelModules(modelContext); err != nil {
+	if err := loadKernelModules(modelContext, distribution); err != nil {
 		return err
 	}
 
@@ -551,7 +551,7 @@ func modprobe(module string) error {
 // loadKernelModules is a hack to force br_netfilter to be loaded
 // and used by some components to load its recommended modules.
 // TODO: Move to tasks architecture
-func loadKernelModules(context *model.NodeupModelContext) error {
+func loadKernelModules(context *model.NodeupModelContext, distribution distributions.Distribution) error {
 	if context.NodeupConfig.Networking.Kindnet != nil {
 		err := modprobe("nfnetlink_queue")
 		if err != nil {
@@ -564,6 +564,16 @@ func loadKernelModules(context *model.NodeupModelContext) error {
 			klog.Warningf("error loading br_netfilter module: %v", err)
 		}
 	}
+	switch distribution {
+	case distributions.DistributionRocky9:
+		// Rocky 9 doesn't load nf_conntrack by default, and it's required for kube-proxy:
+		// "Error running ProxyServer" err="open /proc/sys/net/netfilter/nf_conntrack_max: no such file or directory"
+		// "command failed" err="open /proc/sys/net/netfilter/nf_conntrack_max: no such file or directory"
+		err := modprobe("nf_conntrack")
+		if err != nil {
+			klog.Warningf("error loading nf_conntrack module: %v", err)
+		}
+	}
 	// TODO: Add to /etc/modules-load.d/ ?
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {`
`290`	`290`	`}`
`291`	`291`	`}`
`292`	`292`
`293`		`- if err := loadKernelModules(modelContext); err != nil {`
	`293`	`+ if err := loadKernelModules(modelContext, distribution); err != nil {`
`294`	`294`	`return err`
`295`	`295`	`}`
`296`	`296`
`@@ -551,7 +551,7 @@ func modprobe(module string) error {`
`551`	`551`	`// loadKernelModules is a hack to force br_netfilter to be loaded`
`552`	`552`	`// and used by some components to load its recommended modules.`
`553`	`553`	`// TODO: Move to tasks architecture`
`554`		`-func loadKernelModules(context *model.NodeupModelContext) error {`
	`554`	`+func loadKernelModules(context *model.NodeupModelContext, distribution distributions.Distribution) error {`
`555`	`555`	`if context.NodeupConfig.Networking.Kindnet != nil {`
`556`	`556`	`err := modprobe("nfnetlink_queue")`
`557`	`557`	`if err != nil {`
`@@ -564,6 +564,16 @@ func loadKernelModules(context *model.NodeupModelContext) error {`
`564`	`564`	`klog.Warningf("error loading br_netfilter module: %v", err)`
`565`	`565`	`}`
`566`	`566`	`}`
	`567`	`+ switch distribution {`
	`568`	`+ case distributions.DistributionRocky9:`
	`569`	`+ // Rocky 9 doesn't load nf_conntrack by default, and it's required for kube-proxy:`
	`570`	`+ // "Error running ProxyServer" err="open /proc/sys/net/netfilter/nf_conntrack_max: no such file or directory"`
	`571`	`+ // "command failed" err="open /proc/sys/net/netfilter/nf_conntrack_max: no such file or directory"`
	`572`	`+ err := modprobe("nf_conntrack")`
	`573`	`+ if err != nil {`
	`574`	`+ klog.Warningf("error loading nf_conntrack module: %v", err)`
	`575`	`+ }`
	`576`	`+ }`
`567`	`577`	`// TODO: Add to /etc/modules-load.d/ ?`
`568`	`578`	`return nil`
`569`	`579`	`}`