8:09 a.m.
Hello,
I'm seeing syslog messages "bleed" from the host and other LXC into
the messages, maillog, secure logs of other LXCs.
I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10.
Each LXC is running an older non-systemd linux distribution
Is this a known issue? Is there a work around?
Thank you for you time,
Jim
--
James R. Leu | Director of Technology | INOC | Madison, WI, USA
O: +1-608-204-0203 | F: +1-608-663-4558 | jleu(a)inoc.com | www.inoc.com
Service. Not Software.®
8:16 a.m.
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
Hello,
I'm seeing syslog messages "bleed" from the host and other LXC into
the messages, maillog, secure logs of other LXCs.
I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10.
Each LXC is running an older non-systemd linux distribution
Is this a known issue? Is there a work around?
There is no syslog separation in the kernel namespaces. Libvirt does
not even create /dev/log device in the container by default. So I'm
curious how you've configured the guest - could be something missing
that allows cross-pollution
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:13 a.m.
On 2015-04-10 15:16, Daniel P. Berrange wrote:
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
> Hello,
>
> I'm seeing syslog messages "bleed" from the host and other LXC into
> the messages, maillog, secure logs of other LXCs.
>
> I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10.
> Each LXC is running an older non-systemd linux distribution
>
> Is this a known issue? Is there a work around?
There is no syslog separation in the kernel namespaces. Libvirt does
not even create /dev/log device in the container by default. So I'm
curious how you've configured the guest - could be something missing
that allows cross-pollution
I suspect bind-mounting the host's /dev/ – it's a common suggestion I've
seen in chrooting tutorials.
Regards,
Daniel
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas(a)tao.at | +43 (0)680 301 7167
http://software.tao.at
9:25 a.m.
Hello Daniel,
Thank you for your response.
Here is a sample LXC config
<domain type='lxc'>
<name>foo0</name>
<uuid>c070385f-1aa0-4a4f-ab03-8cabe03a9c0b</uuid>
<memory unit='KiB'>4194304</memory>
<currentMemory unit='KiB'>4194304</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='i686'>exe</type>
<init>/sbin/init-lxc</init>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/libvirt_lxc</emulator>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/home/foo0/root'/>
<target dir='/'/>
</filesystem>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/home/foo0/archive'/>
<target dir='/archive'/>
</filesystem>
<interface type='bridge'>
<source bridge='br112'/>
</interface>
<interface type='bridge'>
<source bridge='br113'/>
</interface>
<interface type='bridge'>
<source bridge='br114'/>
</interface>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
Here is a portion of LSOF from syslogd running in the LXC
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslogd 346 root cwd DIR 152,96 4096 2 /
syslogd 346 root rtd DIR 152,96 4096 2 /
syslogd 346 root txt REG 152,96 34025 499860 /sbin/syslogd
syslogd 346 root mem REG 152,96 34025 499860 /sbin/syslogd
syslogd 346 root 0u unix 0xffff8808246bb740 1439616359 /dev/log
syslogd 346 root 2w REG 152,96 112506 803231 /var/log/messages
syslogd 346 root 3w REG 152,96 0 803227 /var/log/secure
syslogd 346 root 4w REG 152,96 1364785 803235 /var/log/maillog
syslogd 346 root 5w REG 152,96 808140 803214 /var/log/cron
syslogd 346 root 6w REG 152,96 0 803203 /var/log/spooler
syslogd 346 root 7w REG 152,96 0 803216 /var/log/boot.log
/dev in the LXC is:
none on /dev type devtmpfs (rw)
I've tried removing /dev/log in the LXC and then restarting syslogd
(which recreates /dev/log)
but I still get bleed.
Is this a unix socket namespace issue?
https://lwn.net/Articles/392006/
On Fri, Apr 10, 2015 at 02:16:40PM +0100, Daniel P. Berrange wrote:
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
> Hello,
>
> I'm seeing syslog messages "bleed" from the host and other LXC into
> the messages, maillog, secure logs of other LXCs.
>
> I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10.
> Each LXC is running an older non-systemd linux distribution
>
> Is this a known issue? Is there a work around?
There is no syslog separation in the kernel namespaces. Libvirt does
not even create /dev/log device in the container by default. So I'm
curious how you've configured the guest - could be something missing
that allows cross-pollution
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
James R. Leu | Director of Technology | INOC | Madison, WI, USA
O: +1-608-204-0203 | F: +1-608-663-4558 | jleu(a)inoc.com | www.inoc.com
Service. Not Software.®
3514
days inactive
3514
days old
3 comments
3 participants
participants (3)
-
Daniel P. Berrange -
James Leu -
Sven Schwedas