fix: ensure nf_conntrack module loaded for kubelite. (#4705)

This patch ensures that the `nf_conntrack` kernel module is loaded
before `kubelite` is started as the ProxyServer needs to read some
conntrack module-related params from procfs.

Previously, although the it would always crashed if the module wasn't
loaded, this wasn't that common of an occurrence in practice as there
are quite a few ways `nf_conntrack` gets loaded transparently:
* Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368)
after a small startup delay, whose dependency tree includes `nf_conntrack`
* starting firewalld/ufw/most other firewall services
* setting iptables/nftables rules which imply session tracking

By explicitly loading `nf_conntrack` before starting `kubelite`,
it should ensure the procfs values ther ProxyServer reads are
always present on startup.

Signed-off-by: Nashwan Azhari <[email protected]>

Author: aznashwan

microk8s-resources/wrappers/run-kubelite-with-args

@@ -204,6 +204,19 @@ then
   fi
 fi
 
+# kube-proxy reads some values related to the 'nf_conntrack' kernel
+# module from procfs on startup, so we must ensure it is loaded:
+if ! [ -f /proc/sys/net/netfilter/nf_conntrack_max ]
+then
+  if /sbin/modprobe nf_conntrack || modprobe nf_conntrack
+  then
+    echo "Successfully loaded nf_conntrack module."
+  else
+    echo -n "Failed to load nf_conntrack kernel module. "
+    echo "ProxyServer will fail to start until it's loaded."
+  fi
+fi
+
 # on lxc containers do not try to change the conntrack configuration
 # see https://github.com/canonical/microk8s/issues/1438
 if grep -E lxc /proc/1/environ &&