From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Jean-Marc Pigeon <jmp-4qkeo2rQ0gg@public.gmane.org>
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
lxc-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: Kernel 2.6.33-rc6, 3 bugs container specific.
Date: Tue, 2 Feb 2010 15:32:54 -0600 [thread overview]
Message-ID: <20100202213254.GH32305@us.ibm.com> (raw)
In-Reply-To: <1265136215.6260.261.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org):
> Hello,
>
>
> >
> > I was wondering out loud about the best design to solve his problem.
> >
> > If we try to redirect kernel-generated messages to containers, we have
> > several problems, including whether we need to duplicate the messages
> > to the host container. So in one sense it seems more flexible to
> > 1. send everything to host syslog
> No, if we do that all CONTs message will reach
> the same bucket and it will be difficult to sort
> them out..
> CONT sys_admin and HOST sys_admin could be different
> "entity", so you debug CONT config and critical
> needed information reach HOST (which you do not
> have access to).
Yes, so a privileged task on HOST must pass that information back to
you on CONT. That is not a valid complaint imo. But how to sort the
msgs out is a valid question.
We need some sort of identifier, unique system-wide, attached to.. something.
Is ifindex unique system-wide right now? Oh, IIRC it is, but we wnat it to
be containerized, so that would be a bad choice :)
> > 2. clamp down on syslog use by processes not in the init_user_ns
> Could give me more detail??...
Simplest choices would be to just refuse sys_syslog() and open(/proc/kmsg)
altogether from a container, or to only allow reading/writing messages
to own syslog. (I had hoped to find time to try out the second option but
simply haven't had the time, and it doesn't look like I will very soon.
So if anyone else wants to, pls jump at it...)
Then /proc/kmsg can provide what I described above through a FUSE file,
and if, as you mentioned, the container unmounts the FUSE fs and gets
to real procfs, they just get nothing.
> > 3. let the userspace on the host copy messages into a socket or
> > file so child container can pretend it has real syslog.
>
> So you trap printk message from CONT on the HOST and
> redirect them on CONT but on a standard syslog channel.
> Seem OK to me, as long /proc/kmsg is not existing
> (/dev/null) in the CONT file tree.
>
> --
> A bientôt
> ==========================================================================
> Jean-Marc Pigeon Internet: jmp-4qkeo2rQ0gg@public.gmane.org
> SAFE Inc. Phone: (514) 493-4280
> Fax: (514) 493-1946
> Clement, 'a kiss solution' to get rid of SPAM (at last)
> Clement' Home base <"http://www.clement.safe.ca">
> ==========================================================================
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
next prev parent reply other threads:[~2010-02-02 21:32 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1265074676.6260.212.camel@Mercier.safe.ca>
[not found] ` <20100202031647.GA14318@fqdn.org>
[not found] ` <1265121846.6260.231.camel@Mercier.safe.ca>
[not found] ` <4B68649D.2000503@free.fr>
[not found] ` <4B68649D.2000503-GANU6spQydw@public.gmane.org>
2010-02-02 18:18 ` Kernel 2.6.33-rc6, 3 bugs container specific Serge E. Hallyn
[not found] ` <20100202181801.GA28412-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-02-02 18:43 ` Jean-Marc Pigeon
[not found] ` <1265136215.6260.261.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-02 21:32 ` Serge E. Hallyn [this message]
[not found] ` <20100202213254.GH32305-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-02-03 10:51 ` Daniel Lezcano
[not found] ` <4B695535.7020301-GANU6spQydw@public.gmane.org>
2010-02-03 13:24 ` Jean-Marc Pigeon
2010-02-03 15:03 ` Serge E. Hallyn
[not found] ` <20100203150350.GA7146-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-02-03 15:48 ` Jean-Marc Pigeon
[not found] ` <1265212090.6260.284.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-03 16:21 ` Serge E. Hallyn
2010-02-04 9:33 ` Daniel Lezcano
[not found] ` <4B6A9461.1010309-GANU6spQydw@public.gmane.org>
2010-02-04 15:19 ` [Lxc-users] " Serge E. Hallyn
[not found] ` <20100204151927.GA7556-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-02-04 16:02 ` Cedric Le Goater
2010-02-02 14:46 Jean-Marc Pigeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100202213254.GH32305@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=jmp-4qkeo2rQ0gg@public.gmane.org \
--cc=lxc-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.