Conntrack events seemingly broken on Container-Optimized OS

[Alfonso Acosta]

Hi,

Conntrack events (i.e. conntack -E) don't seem to be working on Container-Optimized OS. For instance

# docker run --net=host --privileged --rm cap10morgan/conntrack -E

^Cconntrack v1.4.2 (conntrack-tools): 0 flow events have been shown.

gets stuck and doesn't print any events even if connections are happening. 

IPtables doesn't show evidence of conntrack being disabled and listing the flows does work without problems:

e.g.

In a terminal I do

# nc 8.8.8.8 80

And in another terminal I get

# docker run --net=host --privileged --rm cap10morgan/conntrack -L | grep 8.8.8.8

tcp      6 86311 ESTABLISHED src=10.240.0.4 dst=8.8.8.8 sport=36521 dport=80 src=8.8.8.8 dst=10.240.0.4 sport=80 dport=36521 [ASSURED] mark=0 use=1 id=3957064024

Has anyone run into this? It's difficult to troubleshoot this much further without access to the source and connection tracking is fundamental to our monitoring product.

For more information please see https://github.com/weaveworks/scope/issues/2032

Thanks,

Alfonso Accosta

[Alfonso Acosta]

OK, it seems that the kernel is not compiled with CONFIG_NF_CONNTRACK_EVENTS support

# sysctl net.netfilter.nf_conntrack_events

sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_events: No such file or directory

This option is enabled in other container OSs (CoreOS, ECS ...). How can I request Google to include it? 

I will make a feature request at  https://code.google.com/p/google-compute-engine/

[Alfonso Acosta]

Done: https://code.google.com/p/google-compute-engine/issues/detail?id=499

[Faizan (Google Cloud Support)]

Hello Alfonso,

Thank you for reporting this through issue tracker. I'll go ahead and triage the feature request before I forward it to the product engineering team. If you have further questions or updates you can post them on issue tracker thread[1].

Faizan

[1]  https://code.google.com/p/google-compute-engine/issues/detail?id=499