node_exporter icon indicating copy to clipboard operation
node_exporter copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Collect nf_conntrack_count from every namespace on host

Open HappyFX opened this issue 3 years ago • 6 comments

When running with network namespaces counter in /proc/sys/net/netfilter/nf_conntrack_count showing correct value only for default namespace. Basic logic in linux kernel node_nf_conntrack_entries_limit limit is shared between all namespaces, but with node exporter we can get only nf_conntrack_count from default and we can't see the real sum of all network namespace nf_conntrack_count in kernel

Host operating system: output of uname -a

Any linux host

node_exporter version: output of node_exporter --version

/opt/node_exporter/node_exporter --version
node_exporter, version 0.17.0 (branch: HEAD, revision: f6f6194a436b9a63d0439abc585c76b19a206b21)
  build user:       root@322511e06ced
  build date:       20181130-15:51:33
  go version:       go1.11.2

node_exporter command line flags

/opt/node_exporter/node_exporter --path.procfs /host/proc --path.sysfs /host/sys

Are you running node_exporter in Docker?

Yes

What did you do that produced an error?

Use namespaces in linux:

# ip net
qrouter-9d52c01b-4fbd-4d19-8ac5-f6d0ecd2a1df (id: 0)
qrouter-154d0d5b-18be-409b-bb15-f8f67c23ecb7 (id: 1)

What did you expect to see?

# HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking.
# TYPE node_nf_conntrack_entries gauge
node_nf_conntrack_entries{namespace="default"} 90733
node_nf_conntrack_entries{namespace="qrouter-9d52c01b-4fbd-4d19-8ac5-f6d0ecd2a1df"} 203342
node_nf_conntrack_entries{namespace="qrouter-154d0d5b-18be-409b-bb15-f8f67c23ecb7"} 506541

What did you see instead?

# HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking.
# TYPE node_nf_conntrack_entries gauge
node_nf_conntrack_entries 90733

HappyFX avatar Jan 07 '22 18:01 HappyFX

Related: #295

This seems to be a real problem. Whether we expose all metrics per namespace or just sum them up, we need to handle t his somehow.. @SuperQ wdyt?

discordianfish avatar Jan 10 '22 10:01 discordianfish

+1 for @discordianfish

yusufgungor avatar Dec 21 '23 20:12 yusufgungor

This sounds like a job for cAdvisor, not node_exporter.

SuperQ avatar Dec 22 '23 10:12 SuperQ

@SuperQ The issue is, as I understand it, that we report the wrong numbers as soon as namespaces are used. While I don't want to get into the cAdvisor space, we can't just ignore that we're "missing" conntrack entries when monitoring reaching the node_nf_conntrack_entries_limit

discordianfish avatar Jan 29 '24 10:01 discordianfish

Yes, I see that. But I'm not sure we'll be able to do anything about this in the node_exporter. Since this is done via network namespaces we would need to nsenter each namespace to get the /proc/sys/net/netfilter/nf_conntrack_count. I'm guessing this will require root, which we don't support.

SuperQ avatar Jan 29 '24 14:01 SuperQ

@SuperQ Sure this is the only way? If so, I agree this is excessive..

discordianfish avatar Feb 04 '24 13:02 discordianfish