container sharing /proc/kmsg???

container sharing /proc/kmsg???

[Jean-Marc Pigeon]

Hello,


	I have done a small utility to build containers
	using kernel API 'clone' available with kernel-2.6.31.
	So far I am able to run more than 30 different
	distribution (from rh7.3 -> fc12) on the same
	host.
	(ftp://ftp.safe.ca/pub/linux/vzgot to know more.)

	Everything is working fine...

	Except seems HOST and all containers share the
	SAME /proc/kmsg, meaning kernel syslog information
	are scrambled (useless).

	Namely, I have in iptables, reject packet logging
	on the HOST, as soon rsyslog is started on one
	container, I can't see my reject packet log anymore. 

	Also, container have their own iptables with reject
	packet logging which are not displayed too.

	Am I wrong/forgetting something about the /proc/kmsg
	sharing?

	If I am right, should ALL /proc/kmsg be isolated from
	each other???
	
	How could it be done??

-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp@safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Re: container sharing /proc/kmsg???

[Serge E. Hallyn]

Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org):
> Hello,
> 
> 
> 	I have done a small utility to build containers
> 	using kernel API 'clone' available with kernel-2.6.31.
> 	So far I am able to run more than 30 different
> 	distribution (from rh7.3 -> fc12) on the same
> 	host.
> 	(ftp://ftp.safe.ca/pub/linux/vzgot to know more.)
> 
> 	Everything is working fine...
> 
> 	Except seems HOST and all containers share the
> 	SAME /proc/kmsg, meaning kernel syslog information
> 	are scrambled (useless).
> 
> 	Namely, I have in iptables, reject packet logging
> 	on the HOST, as soon rsyslog is started on one
> 	container, I can't see my reject packet log anymore. 
> 
> 	Also, container have their own iptables with reject
> 	packet logging which are not displayed too.
> 
> 	Am I wrong/forgetting something about the /proc/kmsg
> 	sharing?
> 
> 	If I am right, should ALL /proc/kmsg be isolated from
> 	each other???
> 	
> 	How could it be done??

Well, the results of do_syslog() should be containerized.  Kernel
messages (oopses for instance) should always go to the initial
container.  Shouldn't be hard to do, but the question is what do
we tie it to?  User namespace?  Network namespace?  Eric, is this
something you've thought about at all?

I'm tempted to say userns makes the most sense - if you start a new
userns you likely always want private syslog, whereas with netns and
pidns you may not.

-serge

Re: container sharing /proc/kmsg???

[Jean-Marc Pigeon]

Hello,

Hello,

> > 	Namely, I have in iptables, reject packet logging
> > 	on the HOST, as soon rsyslog is started on one
> > 	container, I can't see my reject packet log anymore. 
> > 
[...]

> > 	If I am right, should ALL /proc/kmsg be isolated from
> > 	each other???
> > 	
> > 	How could it be done??
> 
> Well, the results of do_syslog() should be containerized.  Kernel
> messages (oopses for instance) should always go to the initial
> container.  Shouldn't be hard to do, but the question is what do
> we tie it to?  User namespace?  Network namespace?  Eric, is this
> something you've thought about at all?
> 
> I'm tempted to say userns makes the most sense - if you start a new
> userns you likely always want private syslog, whereas with netns and
> pidns you may not.

	I am not a kernel expert, but my guess/answer is
	"user namespace".
	I mean container /proc return only process number/info
	pertaining to container.
	Likewise /proc/kmsg should be container own, after all
	if iptables rules can be specific to container AND
	iptables can log via kmsg, then message must be reported
	to container (and duplicated to kmsg host?) and do not
	make trouble to host.

> 
> -serge
-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp@safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Re: container sharing /proc/kmsg???

[Serge E. Hallyn]

Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org):
> Hello,
> 
> Hello,
> 
> > > 	Namely, I have in iptables, reject packet logging
> > > 	on the HOST, as soon rsyslog is started on one
> > > 	container, I can't see my reject packet log anymore. 
> > > 
> [...]
> 
> > > 	If I am right, should ALL /proc/kmsg be isolated from
> > > 	each other???
> > > 	
> > > 	How could it be done??
> > 
> > Well, the results of do_syslog() should be containerized.  Kernel
> > messages (oopses for instance) should always go to the initial
> > container.  Shouldn't be hard to do, but the question is what do
> > we tie it to?  User namespace?  Network namespace?  Eric, is this
> > something you've thought about at all?
> > 
> > I'm tempted to say userns makes the most sense - if you start a new
> > userns you likely always want private syslog, whereas with netns and
> > pidns you may not.
> 
> 	I am not a kernel expert, but my guess/answer is
> 	"user namespace".
> 	I mean container /proc return only process number/info
> 	pertaining to container.
> 	Likewise /proc/kmsg should be container own, after all
> 	if iptables rules can be specific to container AND
> 	iptables can log via kmsg, then message must be reported
> 	to container (and duplicated to kmsg host?) and do not
> 	make trouble to host.

/proc/kmsg is just hooked int do_syslog(), the same helper used
by sys_sylog(), so we should be able to address this purely in
kernel/printk.c.

If I get some time tonight I may whip up a proof of concept, though
if anyone else wants to have at, please do.

-serge