container sharing /proc/kmsg???

Jean-Marc Pigeon jmp at safe.ca
Wed Jan 13 08:48:57 PST 2010


Hello,

Hello,

> > 	Namely, I have in iptables, reject packet logging
> > 	on the HOST, as soon rsyslog is started on one
> > 	container, I can't see my reject packet log anymore. 
> > 
[...]

> > 	If I am right, should ALL /proc/kmsg be isolated from
> > 	each other???
> > 	
> > 	How could it be done??
> 
> Well, the results of do_syslog() should be containerized.  Kernel
> messages (oopses for instance) should always go to the initial
> container.  Shouldn't be hard to do, but the question is what do
> we tie it to?  User namespace?  Network namespace?  Eric, is this
> something you've thought about at all?
> 
> I'm tempted to say userns makes the most sense - if you start a new
> userns you likely always want private syslog, whereas with netns and
> pidns you may not.

	I am not a kernel expert, but my guess/answer is
	"user namespace".
	I mean container /proc return only process number/info
	pertaining to container.
	Likewise /proc/kmsg should be container own, after all
	if iptables rules can be specific to container AND
	iptables can log via kmsg, then message must be reported
	to container (and duplicated to kmsg host?) and do not
	make trouble to host.

> 
> -serge
-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp at safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================



More information about the Containers mailing list