* container sharing /proc/kmsg???
@ 2010-01-12 22:09 Jean-Marc Pigeon
[not found] ` <1263334195.4745.250.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Jean-Marc Pigeon @ 2010-01-12 22:09 UTC (permalink / raw)
To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
Hello,
I have done a small utility to build containers
using kernel API 'clone' available with kernel-2.6.31.
So far I am able to run more than 30 different
distribution (from rh7.3 -> fc12) on the same
host.
(ftp://ftp.safe.ca/pub/linux/vzgot to know more.)
Everything is working fine...
Except seems HOST and all containers share the
SAME /proc/kmsg, meaning kernel syslog information
are scrambled (useless).
Namely, I have in iptables, reject packet logging
on the HOST, as soon rsyslog is started on one
container, I can't see my reject packet log anymore.
Also, container have their own iptables with reject
packet logging which are not displayed too.
Am I wrong/forgetting something about the /proc/kmsg
sharing?
If I am right, should ALL /proc/kmsg be isolated from
each other???
How could it be done??
--
A bientôt
==========================================================================
Jean-Marc Pigeon Internet: jmp@safe.ca
SAFE Inc. Phone: (514) 493-4280
Fax: (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
Clement' Home base <"http://www.clement.safe.ca">
==========================================================================
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
^ permalink raw reply [flat|nested] 4+ messages in thread[parent not found: <1263334195.4745.250.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>]
* Re: container sharing /proc/kmsg??? [not found] ` <1263334195.4745.250.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org> @ 2010-01-13 16:32 ` Serge E. Hallyn [not found] ` <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 4+ messages in thread From: Serge E. Hallyn @ 2010-01-13 16:32 UTC (permalink / raw) To: Jean-Marc Pigeon, Eric W. Biederman Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org): > Hello, > > > I have done a small utility to build containers > using kernel API 'clone' available with kernel-2.6.31. > So far I am able to run more than 30 different > distribution (from rh7.3 -> fc12) on the same > host. > (ftp://ftp.safe.ca/pub/linux/vzgot to know more.) > > Everything is working fine... > > Except seems HOST and all containers share the > SAME /proc/kmsg, meaning kernel syslog information > are scrambled (useless). > > Namely, I have in iptables, reject packet logging > on the HOST, as soon rsyslog is started on one > container, I can't see my reject packet log anymore. > > Also, container have their own iptables with reject > packet logging which are not displayed too. > > Am I wrong/forgetting something about the /proc/kmsg > sharing? > > If I am right, should ALL /proc/kmsg be isolated from > each other??? > > How could it be done?? Well, the results of do_syslog() should be containerized. Kernel messages (oopses for instance) should always go to the initial container. Shouldn't be hard to do, but the question is what do we tie it to? User namespace? Network namespace? Eric, is this something you've thought about at all? I'm tempted to say userns makes the most sense - if you start a new userns you likely always want private syslog, whereas with netns and pidns you may not. -serge ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>]
* Re: container sharing /proc/kmsg??? [not found] ` <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> @ 2010-01-13 16:48 ` Jean-Marc Pigeon [not found] ` <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org> 0 siblings, 1 reply; 4+ messages in thread From: Jean-Marc Pigeon @ 2010-01-13 16:48 UTC (permalink / raw) To: Serge E. Hallyn Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric W. Biederman Hello, Hello, > > Namely, I have in iptables, reject packet logging > > on the HOST, as soon rsyslog is started on one > > container, I can't see my reject packet log anymore. > > [...] > > If I am right, should ALL /proc/kmsg be isolated from > > each other??? > > > > How could it be done?? > > Well, the results of do_syslog() should be containerized. Kernel > messages (oopses for instance) should always go to the initial > container. Shouldn't be hard to do, but the question is what do > we tie it to? User namespace? Network namespace? Eric, is this > something you've thought about at all? > > I'm tempted to say userns makes the most sense - if you start a new > userns you likely always want private syslog, whereas with netns and > pidns you may not. I am not a kernel expert, but my guess/answer is "user namespace". I mean container /proc return only process number/info pertaining to container. Likewise /proc/kmsg should be container own, after all if iptables rules can be specific to container AND iptables can log via kmsg, then message must be reported to container (and duplicated to kmsg host?) and do not make trouble to host. > > -serge -- A bientôt ========================================================================== Jean-Marc Pigeon Internet: jmp@safe.ca SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946 Clement, 'a kiss solution' to get rid of SPAM (at last) Clement' Home base <"http://www.clement.safe.ca"> ========================================================================== _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>]
* Re: container sharing /proc/kmsg??? [not found] ` <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org> @ 2010-01-13 17:05 ` Serge E. Hallyn 0 siblings, 0 replies; 4+ messages in thread From: Serge E. Hallyn @ 2010-01-13 17:05 UTC (permalink / raw) To: Jean-Marc Pigeon Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric W. Biederman Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org): > Hello, > > Hello, > > > > Namely, I have in iptables, reject packet logging > > > on the HOST, as soon rsyslog is started on one > > > container, I can't see my reject packet log anymore. > > > > [...] > > > > If I am right, should ALL /proc/kmsg be isolated from > > > each other??? > > > > > > How could it be done?? > > > > Well, the results of do_syslog() should be containerized. Kernel > > messages (oopses for instance) should always go to the initial > > container. Shouldn't be hard to do, but the question is what do > > we tie it to? User namespace? Network namespace? Eric, is this > > something you've thought about at all? > > > > I'm tempted to say userns makes the most sense - if you start a new > > userns you likely always want private syslog, whereas with netns and > > pidns you may not. > > I am not a kernel expert, but my guess/answer is > "user namespace". > I mean container /proc return only process number/info > pertaining to container. > Likewise /proc/kmsg should be container own, after all > if iptables rules can be specific to container AND > iptables can log via kmsg, then message must be reported > to container (and duplicated to kmsg host?) and do not > make trouble to host. /proc/kmsg is just hooked int do_syslog(), the same helper used by sys_sylog(), so we should be able to address this purely in kernel/printk.c. If I get some time tonight I may whip up a proof of concept, though if anyone else wants to have at, please do. -serge ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-01-13 17:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-12 22:09 container sharing /proc/kmsg??? Jean-Marc Pigeon
[not found] ` <1263334195.4745.250.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-01-13 16:32 ` Serge E. Hallyn
[not found] ` <20100113163251.GA18184-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-01-13 16:48 ` Jean-Marc Pigeon
[not found] ` <1263401337.4745.282.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-01-13 17:05 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox