From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Jean-Marc Pigeon <jmp-4qkeo2rQ0gg@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: container sharing /proc/kmsg???
Date: Wed, 13 Jan 2010 11:05:01 -0600 [thread overview]
Message-ID: <20100113170501.GA19649@us.ibm.com> (raw)
In-Reply-To: <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org):
> Hello,
>
> Hello,
>
> > > Namely, I have in iptables, reject packet logging
> > > on the HOST, as soon rsyslog is started on one
> > > container, I can't see my reject packet log anymore.
> > >
> [...]
>
> > > If I am right, should ALL /proc/kmsg be isolated from
> > > each other???
> > >
> > > How could it be done??
> >
> > Well, the results of do_syslog() should be containerized. Kernel
> > messages (oopses for instance) should always go to the initial
> > container. Shouldn't be hard to do, but the question is what do
> > we tie it to? User namespace? Network namespace? Eric, is this
> > something you've thought about at all?
> >
> > I'm tempted to say userns makes the most sense - if you start a new
> > userns you likely always want private syslog, whereas with netns and
> > pidns you may not.
>
> I am not a kernel expert, but my guess/answer is
> "user namespace".
> I mean container /proc return only process number/info
> pertaining to container.
> Likewise /proc/kmsg should be container own, after all
> if iptables rules can be specific to container AND
> iptables can log via kmsg, then message must be reported
> to container (and duplicated to kmsg host?) and do not
> make trouble to host.
/proc/kmsg is just hooked int do_syslog(), the same helper used
by sys_sylog(), so we should be able to address this purely in
kernel/printk.c.
If I get some time tonight I may whip up a proof of concept, though
if anyone else wants to have at, please do.
-serge
prev parent reply other threads:[~2010-01-13 17:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-12 22:09 container sharing /proc/kmsg??? Jean-Marc Pigeon
[not found] ` <1263334195.4745.250.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-01-13 16:32 ` Serge E. Hallyn
[not found] ` <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-01-13 16:48 ` Jean-Marc Pigeon
[not found] ` <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-01-13 17:05 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100113170501.GA19649@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=jmp-4qkeo2rQ0gg@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.