Re: [PATCH 1/1] Syslog are now containerized - Jean-Marc Pigeon

From: Jean-Marc Pigeon <jmp-4qkeo2rQ0gg@public.gmane.org>
To: Matt Helsley <matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>
Subject: Re: [PATCH 1/1] Syslog are now containerized
Date: Sat, 13 Feb 2010 19:51:44 -0500	[thread overview]
Message-ID: <1266108704.19130.346.camel@Mercier.safe.ca> (raw)
In-Reply-To: <20100213223306.GB3714-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>

Hello,

On Sat, 2010-02-13 at 14:33 -0800, Matt Helsley wrote:
> On Sat, Feb 13, 2010 at 04:56:16PM -0500, Jean-Marc Pigeon wrote:
> > Hello,
> > 
> > [...]

> 
> Yes. namespace boundaries only coincide if userspace chooses to
> make them coincide. For example, the tasks in a network namespace
> do not necessarily all share the same mount namespace.
> 
> > 	Does this means (simple example) someone change
> > 	iptable rules for one container that could change 
> > 	another unrelated container behavior ?!...no way...
> 
> Two "unrelated containers" would share the same iptables rules
> so long as they share a network namespace.
	So ... logic means.... those two unrelated container
	do not "own" the iptable rules.
	But lets say, for fun, process within container 1
	change rules (locking out ssh access), does it mean
	now ssh connexion on container 2 locked out too...
	If you say "container 0" which container 1 and 2
	are include in, decided to lock ssh access, then
	its OK.
	Container 1 and 2 are still unrelated, right, but both 
	are related  to container 0, and syslog report must 
	go to container 0.
	(once again it is clean cut.)
	
[...]
	

> > > That part of the proposal is simple and makes alot of sense. The
> > > ramifcations of it on kernel code are not simple and often there's
> > > no clean way to do it.
> > 	Well, this trouble me somewhat....
> > 	2.6.18-128.2.1.el5.028stab064.7 (just an example, I am using
> > 	day to day), is containerising iptables an other syslogs 
> > 	nice way....,
> 
> Er.. you have a 2.6.18 kernel "containerising iptables an other syslogs"?
> I didn't think iptables supported network namespaces until somewhat
> recently. Is this an openvz-patched kernel you're talking about?

	Yep! release date 07-Nov-2009, and I am pretty sure
	2.6.18-53.1.19.el5.028stab053.14 release date 21-May-2008 
	was doing it too...

	Iptable logs are reported to VZ (I have an example
	right in front of me)

Feb 13 14:42:13 host1 kernel: RJCT IN=venet0 OUT= MAC= SRC=X.X.X.X
DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58325 DF PROTO=TCP
SPT=37248 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

	When I said monthssss, I really mean it.

> Careful. "no clean way to do it" does not mean "can't be done".
	Agreed....container network, seems to me, implemented
	in far better way than on VZ, so it is possible to implement 
	good idea in clean way.
	

-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp@safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers