Merge pull request #1653 from weaveworks/1598-no-host-short-lived-tra…

…cking Do not infer short-lived connections for host-networking containers
weaveworks · Jul 7, 2016 · 9a77380 · 9a77380
2 parents 17dc928 + 26c6249
commit 9a77380
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 8 deletions.
diff --git a/probe/docker/reporter.go b/probe/docker/reporter.go
@@ -17,6 +17,7 @@ const (
 	ImageName         = "docker_image_name"
 	ImageLabelPrefix  = "docker_image_label_"
 	OverlayPeerPrefix = "docker_peer_"
+	IsInHostNetwork   = "docker_is_in_host_network"
 )
 
 // Exposed for testing
@@ -191,30 +192,39 @@ func (r *Reporter) containerTopology(localAddrs []net.IP) report.Topology {
 				Add(ContainerIPsWithScopes, report.MakeStringSet(hostIPsWithScopes...))
 		}
 
-		var networkInfo func(prefix string) report.Sets
-		networkInfo = func(prefix string) report.Sets {
+		var networkInfo func(prefix string) (report.Sets, bool)
+		networkInfo = func(prefix string) (ips report.Sets, isInHostNamespace bool) {
 			container, ok := r.registry.GetContainerByPrefix(prefix)
 			if !ok {
-				return report.EmptySets
+				return report.EmptySets, false
 			}
 
 			networkMode, ok := container.NetworkMode()
 			if ok && strings.HasPrefix(networkMode, "container:") {
 				return networkInfo(networkMode[10:])
 			} else if ok && networkMode == NetworkModeHost {
-				return hostNetworkInfo
+				return hostNetworkInfo, true
 			}
 
-			return container.NetworkInfo(localAddrs)
+			return container.NetworkInfo(localAddrs), false
 		}
 
 		for _, node := range nodes {
 			id, ok := report.ParseContainerNodeID(node.ID)
 			if !ok {
 				continue
 			}
-			networkInfo := networkInfo(id)
-			result.AddNode(node.WithSets(networkInfo))
+			networkInfo, isInHostNamespace := networkInfo(id)
+			node = node.WithSets(networkInfo)
+			// Indicate whether the container is in the host network
+			// The container's NetworkMode is not enough due to
+			// delegation (e.g. NetworkMode="container:foo" where
+			// foo is a container in the host networking namespace)
+			if isInHostNamespace {
+				node = node.WithLatests(map[string]string{IsInHostNetwork: "true"})
+			}
+			result.AddNode(node)
+
 		}
 	}
 

diff --git a/render/container.go b/render/container.go
@@ -249,7 +249,11 @@ var portMappingMatch = regexp.MustCompile(`([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.
 func MapContainer2IP(m report.Node) []string {
 	// if this container doesn't make connections, we can ignore it
 	_, doesntMakeConnections := m.Latest.Lookup(report.DoesNotMakeConnections)
-	if doesntMakeConnections {
+	// if this container belongs to the host's networking namespace
+	// we cannot use its IP to attribute connections
+	// (they could come from any other process on the host or DNAT-ed IPs)
+	_, isInHostNetwork := m.Latest.Lookup(docker.IsInHostNetwork)
+	if doesntMakeConnections || isInHostNetwork {
 		return nil
 	}