Merge pull request #1653 from weaveworks/1598-no-host-short-lived-tracking

Do not infer short-lived connections for host-networking containers
2026-03-06 03:31:00 +00:00 · 2016-07-07 17:53:08 +01:00
parent 17dc928b07 26c6249516
commit 9a77380a59
2 changed files with 22 additions and 8 deletions
--- a/probe/docker/reporter.go
+++ b/probe/docker/reporter.go
@@ -17,6 +17,7 @@ const (
 	ImageName         = "docker_image_name"
 	ImageLabelPrefix  = "docker_image_label_"
 	OverlayPeerPrefix = "docker_peer_"
+	IsInHostNetwork   = "docker_is_in_host_network"
 )

 // Exposed for testing
@@ -191,21 +192,21 @@ func (r *Reporter) containerTopology(localAddrs []net.IP) report.Topology {
 				Add(ContainerIPsWithScopes, report.MakeStringSet(hostIPsWithScopes...))
 		}

-		var networkInfo func(prefix string) report.Sets
-		networkInfo = func(prefix string) report.Sets {
+		var networkInfo func(prefix string) (report.Sets, bool)
+		networkInfo = func(prefix string) (ips report.Sets, isInHostNamespace bool) {
 			container, ok := r.registry.GetContainerByPrefix(prefix)
 			if !ok {
-				return report.EmptySets
+				return report.EmptySets, false
 			}

 			networkMode, ok := container.NetworkMode()
 			if ok && strings.HasPrefix(networkMode, "container:") {
 				return networkInfo(networkMode[10:])
 			} else if ok && networkMode == NetworkModeHost {
-				return hostNetworkInfo
+				return hostNetworkInfo, true
 			}

-			return container.NetworkInfo(localAddrs)
+			return container.NetworkInfo(localAddrs), false
 		}

 		for _, node := range nodes {
@@ -213,8 +214,17 @@ func (r *Reporter) containerTopology(localAddrs []net.IP) report.Topology {
 			if !ok {
 				continue
 			}
-			networkInfo := networkInfo(id)
-			result.AddNode(node.WithSets(networkInfo))
+			networkInfo, isInHostNamespace := networkInfo(id)
+			node = node.WithSets(networkInfo)
+			// Indicate whether the container is in the host network
+			// The container's NetworkMode is not enough due to
+			// delegation (e.g. NetworkMode="container:foo" where
+			// foo is a container in the host networking namespace)
+			if isInHostNamespace {
+				node = node.WithLatests(map[string]string{IsInHostNetwork: "true"})
+			}
+			result.AddNode(node)
+
 		}
 	}

--- a/render/container.go
+++ b/render/container.go
@@ -249,7 +249,11 @@ var portMappingMatch = regexp.MustCompile(`([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.
 func MapContainer2IP(m report.Node) []string {
 	// if this container doesn't make connections, we can ignore it
 	_, doesntMakeConnections := m.Latest.Lookup(report.DoesNotMakeConnections)
-	if doesntMakeConnections {
+	// if this container belongs to the host's networking namespace
+	// we cannot use its IP to attribute connections
+	// (they could come from any other process on the host or DNAT-ed IPs)
+	_, isInHostNetwork := m.Latest.Lookup(docker.IsInHostNetwork)
+	if doesntMakeConnections || isInHostNetwork {
 		return nil
 	}