[Lxc-users] Kernel Log Namespace Support?

Walter walter.stanish+lxc-users at gmail.com
Mon Jun 24 02:36:44 UTC 2013


I am sure there's a good reason why this doesn't yet exist... however,
it would still be useful!

For instance, I note that the network namespace is leading the charge
with the capacity to implement netfilter rules within a container...
unfortunately the common -j LOG target becomes ~useless within a
container since it is impossible, when interpreting the resulting data
at some future point in time, to reliably determine which container
(or host) the resulting kernel log entries spawned from.

I know there's a lot of stuff going on around capabilities right
now... perhaps a capability to explicitly allow the setting netfilter
rules (on all interfaces within a container) wouldn't go astray. This
would be separate to existing network-related capabilities. The idea
is that at least that way you could set the -j LOG
--log-prefix='[guest id] ' ... in order to better trust generated
entries.
(It's also not out of the question that one may wish to differently
process logs produced within guests .. for example, to send them to a
particular remote syslog server. Right now that's a big iffy when it
comes to kernel messages.)

Ultimately this only potentially solves this very specific class of
use case, though.

Another option might be to have a kernel option that enables logging
the executing cgroup name at the beginning of the kernel log line.
This would require security attempts to imitate it, though...
resulting in some overhead. More weightily against, I recall a
structured kernel log proposal being discussed on LWN someplace...
perhaps https://lwn.net/Articles/464276/ but I believe there was a
more recent update, which I can't find.

Has anyone given this some thought recently? Is there any information out there
about a solution in the works?

Cheers,
Walter




More information about the lxc-users mailing list