Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no connections between containers on GKE #2943

Closed
rade opened this issue Nov 17, 2017 · 3 comments · Fixed by #2978
Closed

no connections between containers on GKE #2943

rade opened this issue Nov 17, 2017 · 3 comments · Fixed by #2978
Assignees
@rade
Labels
bug Broken end user or developer functionality; not working as the developers intended it k8s Pertains to integration with Kubernetes

Comments

@rade
Copy link
Member

rade commented Nov 17, 2017

We've got a cluster on GKE, and scope shows pod connections fine, e.g.
screenshot from 2017-11-17 10 05 03
but it does not show container connections
screenshot from 2017-11-17 10 05 47
except when they are in the host netns. Neither does it show process connections unless they are on the host netns.
@rade rade added bug Broken end user or developer functionality; not working as the developers intended it k8s Pertains to integration with Kubernetes labels Nov 17, 2017
@rade
Copy link
Member Author

rade commented Nov 17, 2017

I've looked at the report. The containers do not have any IPs associated with them. That's because docker doesn't know about container IPs in the context of k8s. However, the probes should detect connections at the process level, which should then "bubble up" to the container level. See also #2586. So the question is why that isn't working here. Note that on GKE we don't get eBPF, so connections are tracked via conntrack, netstat and proc walking.

@rade
Copy link
Member Author

rade commented Nov 17, 2017

@bboreham has suggested that the probes could obtain container IPs in a similar fashion how they determine weave IPs, via weaveutil container-addrs <bridge> ...
.

@rade rade mentioned this issue Dec 10, 2017
Open
@rade
Copy link
Member Author

rade commented Dec 12, 2017

So the question is why that isn't working here. Note that on GKE we don't get eBPF, so connections are tracked via conntrack, netstat and proc walking.

The latter (which is #2769) is certainly part of the reason; some short-lived connections, e.g. from load-test to front-end and front-end to catalogue aren't associated with processes because of that. However, we are also missing long-lived connections. The reason for that is #2668, which turns out to exclude more connections than it should, namely NATed connections.

@rade rade self-assigned this Dec 12, 2017
@rade rade mentioned this issue Dec 12, 2017
Merged
rade added a commit that referenced this issue Dec 15, 2017
@rade
Merge pull request #2978 from weaveworks/2943-map-nats
ae09b1c 
don't exclude NATed connections in mapping to processes

Fixes #2943
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rade rade

Labels
bug Broken end user or developer functionality; not working as the developers intended it k8s Pertains to integration with Kubernetes
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

don't exclude NATed connections in mapping to processes weaveworks/scope
1 participant
@rade