Container with container-network gets assigned bogus port mappings after VCH restart

[corrieb]

User Statement:

As a VIC user, I need docker ps to show me correct information after a VCH upgrade or reconfigure.

Details:

I'm not yet sure of the severity of this issue. It may be as minor as docker ps reporting wrong information, or as major as the networking being misconfigured on the containerVM leading to other issues.

Found using the most recent build 13393. Easy to reproduce:

$ docker run -d --net=ExternalNetwork -p 80 nginx
$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
d27e4651c267        nginx               "nginx -g daemon off;"   20 seconds ago      Up 18 seconds                           pedantic_hugle

now restart the VCH, either by doing an upgrade, reconfigure or a literal power cycle.

$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                         NAMES
d27e4651c267        nginx               "nginx -g daemon off;"   About a minute ago   Up About a minute   10.118.69.115:32768->80/tcp   pedantic_hugle

Note that this container VM now has port mappings, which it shouldn't have, given that it's connected to a container network.

Acceptance Criteria:

I would like someone who understands the code to at least offer an opinion as to the severity of this issue.

[hmahmood]

Since the port is being mapped to a random port on the VCH, there is a sort of security breach I suppose, since the container is now exposed through the VCH. But I think this should be easy to fix: we just need to add another condition (to check if the endpoint is for a container network) to https://github.com/vmware/vic/blob/master/lib/apiservers/engine/backends/backends.go#L324 .

[anchal-agrawal]

@corrieb @hmahmood Assigning medium priority, please re-assess if needed.

[hickeng]

@hmahmood agree that we should be checking if the endpoint is for a container network.
@corrieb Is the port mapping even functional? Looks like the container would not be connected to the bridge network.

On a different note - would be nice if we could provide the container network IP for published ports ;)

[corrieb]

@hickeng I didn't think it was functional, but this is why I asked @hasan to look at it. He seems to suggest above that it is - "now being exposed through the VCH"

[corrieb]

+100 to displaying the container IP in docker ps :)

[hmahmood]

@hickeng good point ... looking at the MapPorts function implementation, we add an iptables rule for the bridge interface, so the mapping is there, but not functional. There is an open port now on the VCH, although it goes nowhere; this mitigates the issue for me.

[corrieb]

Good to know. Remains a highly visible UX issue though.