From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Jean-Marc Pigeon <jmp-4qkeo2rQ0gg@public.gmane.org>
Cc: Linux Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>
Subject: Re: iptables in container, wrong log destination, need pointer
Date: Thu, 11 Feb 2010 11:51:10 -0600 [thread overview]
Message-ID: <20100211175110.GG6884@us.ibm.com> (raw)
In-Reply-To: <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org):
> Hello,
>
>
> I have containerized syslog, such each container has its
> own syslog.
>
> Container can have their own set of iptables rules.
>
> I was expecting CONT: iptables log report to be
> send to the CONT: syslog, which is not the case,
> they are rather sent to HOST: syslog.
>
> This means to me, iptables rules are containerized,
> but the execution is NOT (CONT: rules are checked
> within the HOST: context, not the CONT: context).
>
> Could somebody give me hint where I should look
> in the code, to have a better understanding about
> what is happening?
Again, printk can be called from any context, so you can't
rely on 'current'. But you are relying on current in
emit_log_char() to get the syslog_ns. That is why you're
getting that.
You're going to have to keep a separate container_printk
(nsprintk) which is called with a syslog_ns. Then in
functions where you know you can determine the syslog_ns,
you can call that fn instead of printk and pass the ns.
Note that since iptables printks are happening out of
context, this means yet another problem: you'll need to
have a way to get the syslog_ns from the netns, which
I suspect is the only thing can track at that point.
-serge
prev parent reply other threads:[~2010-02-11 17:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-11 14:32 iptables in container, wrong log destination, need pointer Jean-Marc Pigeon
[not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-11 17:51 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100211175110.GG6884@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=jmp-4qkeo2rQ0gg@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.