From: Jean-Marc Pigeon <jmp-4qkeo2rQ0gg@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: container sharing /proc/kmsg???
Date: Wed, 13 Jan 2010 11:48:57 -0500 [thread overview]
Message-ID: <1263401337.4745.282.camel@Mercier.safe.ca> (raw)
In-Reply-To: <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Hello,
Hello,
> > Namely, I have in iptables, reject packet logging
> > on the HOST, as soon rsyslog is started on one
> > container, I can't see my reject packet log anymore.
> >
[...]
> > If I am right, should ALL /proc/kmsg be isolated from
> > each other???
> >
> > How could it be done??
>
> Well, the results of do_syslog() should be containerized. Kernel
> messages (oopses for instance) should always go to the initial
> container. Shouldn't be hard to do, but the question is what do
> we tie it to? User namespace? Network namespace? Eric, is this
> something you've thought about at all?
>
> I'm tempted to say userns makes the most sense - if you start a new
> userns you likely always want private syslog, whereas with netns and
> pidns you may not.
I am not a kernel expert, but my guess/answer is
"user namespace".
I mean container /proc return only process number/info
pertaining to container.
Likewise /proc/kmsg should be container own, after all
if iptables rules can be specific to container AND
iptables can log via kmsg, then message must be reported
to container (and duplicated to kmsg host?) and do not
make trouble to host.
>
> -serge
--
A bientôt
==========================================================================
Jean-Marc Pigeon Internet: jmp@safe.ca
SAFE Inc. Phone: (514) 493-4280
Fax: (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
Clement' Home base <"http://www.clement.safe.ca">
==========================================================================
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2010-01-13 16:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-12 22:09 container sharing /proc/kmsg??? Jean-Marc Pigeon
[not found] ` <1263334195.4745.250.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-01-13 16:32 ` Serge E. Hallyn
[not found] ` <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-01-13 16:48 ` Jean-Marc Pigeon [this message]
[not found] ` <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-01-13 17:05 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1263401337.4745.282.camel@Mercier.safe.ca \
--to=jmp-4qkeo2rq0gg@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox