[Lxc-users] Debugging a containers firewall.. (syslog)

Daniel Lezcano daniel.lezcano at free.fr
Thu Jul 1 08:20:19 UTC 2010 

On 07/01/2010 09:54 AM, Gordon Henderson wrote:
> On Thu, 1 Jul 2010, Gordon Henderson wrote:
>
>> Hi,
>>
>> I'm experimenting with some iptables inside a container - no real issues
>> there, it just works, but I'm a little confused by the logging messages..
>>
>> I'm running rsyslogd and the firewall log messages are going where they'd
>> normally go (ie. I've not changed any settings there), so normally I see
>> them in the output of dmesg and they're stored in /var/log/kern.log (this
>> is Debian and the rsyslogd.conf file has:
>>
>>    kern.*                          -/var/log/kern.log
>>
>> However the file kern.log seems to be missing a lot of entires that are
>> appearing in the output of dmesg.
>>
>> I don't currently have kernel timestamps turned on, so I can't properly
>> correlate dmesg output with the log-files, but I'm just wondering if there
>> is anything significant here - anything obvious I'm missing?
>
> Hm. Following up my own post.. I've just realised the messages are getting
> stored in the hosts kern.log file too, so I'm now confused. Is it actually
> possible to have per-container syslogs, or should it all be done on the
> host? I've no issues with the latter, but there doesn't seem to be a way
> to tag them if the host is doing all the logging... (Although since this
> is firewall, there are DST=i.p.address entries in the hosts kern.log file,
> but that's OK for iptables logging, but not for individual container
> sendmail, etc. logging...
>
> Using Debian stable, kernel 2.6.33.3 and LXC 0.6.5

Syslog per containers is not (yet?) supported. At the first glance, 
after looked at the kernel code, it is not obvious to make these changes 
because it impacts /dev/kmsg, /proc/kmsg, syslog syscall and printk 
which need to be cleanup and modified in a consistent way to assign a 
ring buffer per container. The netfilter logging, which use printk, 
occurs in a interrupt context making difficult to identify the right 
container without using the network namespace (that does not make sense 
to create a relationship between a network namespace and the ring buffer 
IMHO).

Tagging the logs to differentiate where they are coming from is a good 
idea and this is probably what should be done for the host (log in the 
container and log in the host). But the syslog per namespace framework 
will be needed before I think.

Thanks
   -- Daniel

More information about the lxc-users mailing list