[Lxc-users] Debugging a containers firewall.. (syslog)

Jean-Marc Pigeon jmp at safe.ca
Mon Jul 12 15:39:40 UTC 2010 

Hello Gordon,

On Thu, 2010-07-01 at 08:54 +0100, Gordon Henderson wrote:
> On Thu, 1 Jul 2010, Gordon Henderson wrote:
> 
> > Hi,
> >
> > I'm experimenting with some iptables inside a container - no real issues
> > there, it just works, but I'm a little confused by the logging messages..
> >
> > I'm running rsyslogd and the firewall log messages are going where they'd
> > normally go (ie. I've not changed any settings there), so normally I see
> > them in the output of dmesg and they're stored in /var/log/kern.log (this
> > is Debian and the rsyslogd.conf file has:
> >
> >   kern.*                          -/var/log/kern.log
> >
> > However the file kern.log seems to be missing a lot of entires that are
> > appearing in the output of dmesg.
> >
> > I don't currently have kernel timestamps turned on, so I can't properly
> > correlate dmesg output with the log-files, but I'm just wondering if there
> > is anything significant here - anything obvious I'm missing?
> 
> Hm. Following up my own post.. I've just realised the messages are getting 
> stored in the hosts kern.log file too, so I'm now confused. Is it actually 
> possible to have per-container syslogs, or should it all be done on the 
> host? I've no issues with the latter, but there doesn't seem to be a way 
> to tag them if the host is doing all the logging... (Although since this 
> is firewall, there are DST=i.p.address entries in the hosts kern.log file, 
> but that's OK for iptables logging, but not for individual container 
> sendmail, etc. logging...
> 
> Using Debian stable, kernel 2.6.33.3 and LXC 0.6.5

I have a "Syslog per containers" implementation, it report
container iptables logs to the container syslog only.
(I do not know if it is done the "state of art" way,
but it seems to be working here).

See git.safe.ca, head "2.6.34-syslog-4" could be of
some interest to you.

Head "2.6.35-rc4-syslog-4" is working well too
but only for container in x86_64 arch, since
2.6.35, on i386 arch container, network is not responding
(packet are lost somewhere) as soon one iptable rule
is set (even if the rule say ACCEPT!).
On 2.6.34 /sys is not containerized (you see the
host /sys/class/net devices), but it is containerized
on 2.6.35 (you see own container net devices only)... 
May be the network problem is related to /sys change.

My 2 cents.

-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp at safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================

More information about the lxc-users mailing list