NRPE charm creates conntrack check for LXD units

[sudeephb]

When applying the nrpe charm to an LXD unit, the charm creates a check_conntrack service. That's great, but for LXD the check itself falls over. The check finds the conntrack module, and then can't find nf_conntrack_max.

It's happier if I add:

if ! [ -f /proc/sys/net/netfilter/nf_conntrack_max ] ; then
echo "OK: no conntrack max present"
exit $STATE_OK
fi

I'd prefer to be able to just disable the check with a setting.

---

Imported from Launchpad using lp2gh.

• date created: 2017-04-07T00:13:26Z

• owner: hloeung

• assignee: paulgear

• duplicate of: Conntrack check does not work in LXD containers #36

• the launchpad url

[sudeephb]

(by xavpaice)
Fix was committed in response to https://bugs.launchpad.net/nrpe-charm/+bug/1673064 but this doesn't work on every occasion. I'm struggling to find a smoking gun for what's different but the fix committed checks for the conntrack module, which is loaded on these lxd containers:

ubuntu@juju-a8345d-0-lxd-9:~$ lsmod | grep conntrack
xt_conntrack 16384 0
x_tables 36864 16 xt_comment,ipt_REJECT,iptable_mangle,ip_tables,ebtables,iptable_filter,xt_tcpudp,iptable_raw,ipt_MASQUERADE,xt_connmark,ip6table_mangle,xt_CHECKSUM,ip6table_filter,ip6table_raw,xt_conntrack,ip6_tables
nf_conntrack_ipv6 20480 3
nf_conntrack_ipv4 16384 5
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_defrag_ipv6 36864 2 nf_conntrack_ipv6,openvswitch
nf_conntrack 110592 9 nf_conntrack_ipv6,openvswitch,nf_conntrack_ipv4,xt_connmark,nf_nat_ipv6,nf_nat_masquerade_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat

However, the actual check shows that nf_conntrack_max doesn't exist:
ubuntu@juju-a8345d-0-lxd-9:~$ sysctl net.netfilter.nf_conntrack_max
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_max: No such file or directory