[libvirt-users] LXC and syslog seperation (/dev/log)
Hello, I'm seeing syslog messages "bleed" from the host and other LXC into the messages, maillog, secure logs of other LXCs. I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. Each LXC is running an older non-systemd linux distribution Is this a known issue? Is there a work around? Thank you for you time, Jim -- James R. Leu | Director of Technology | INOC | Madison, WI, USA O: +1-608-204-0203 | F: +1-608-663-4558 | jleu@inoc.com | www.inoc.com Service. Not Software.®
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
Hello,
I'm seeing syslog messages "bleed" from the host and other LXC into the messages, maillog, secure logs of other LXCs.
I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. Each LXC is running an older non-systemd linux distribution
Is this a known issue? Is there a work around?
There is no syslog separation in the kernel namespaces. Libvirt does not even create /dev/log device in the container by default. So I'm curious how you've configured the guest - could be something missing that allows cross-pollution Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 2015-04-10 15:16, Daniel P. Berrange wrote:
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
Hello,
I'm seeing syslog messages "bleed" from the host and other LXC into the messages, maillog, secure logs of other LXCs.
I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. Each LXC is running an older non-systemd linux distribution
Is this a known issue? Is there a work around?
There is no syslog separation in the kernel namespaces. Libvirt does not even create /dev/log device in the container by default. So I'm curious how you've configured the guest - could be something missing that allows cross-pollution
I suspect bind-mounting the host's /dev/ – it's a common suggestion I've seen in chrooting tutorials.
Regards, Daniel
-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167 http://software.tao.at
Hello Daniel, Thank you for your response. Here is a sample LXC config <domain type='lxc'> <name>foo0</name> <uuid>c070385f-1aa0-4a4f-ab03-8cabe03a9c0b</uuid> <memory unit='KiB'>4194304</memory> <currentMemory unit='KiB'>4194304</currentMemory> <vcpu placement='static'>2</vcpu> <os> <type arch='i686'>exe</type> <init>/sbin/init-lxc</init> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/home/foo0/root'/> <target dir='/'/> </filesystem> <filesystem type='mount' accessmode='passthrough'> <source dir='/home/foo0/archive'/> <target dir='/archive'/> </filesystem> <interface type='bridge'> <source bridge='br112'/> </interface> <interface type='bridge'> <source bridge='br113'/> </interface> <interface type='bridge'> <source bridge='br114'/> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> Here is a portion of LSOF from syslogd running in the LXC COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME syslogd 346 root cwd DIR 152,96 4096 2 / syslogd 346 root rtd DIR 152,96 4096 2 / syslogd 346 root txt REG 152,96 34025 499860 /sbin/syslogd syslogd 346 root mem REG 152,96 34025 499860 /sbin/syslogd syslogd 346 root 0u unix 0xffff8808246bb740 1439616359 /dev/log syslogd 346 root 2w REG 152,96 112506 803231 /var/log/messages syslogd 346 root 3w REG 152,96 0 803227 /var/log/secure syslogd 346 root 4w REG 152,96 1364785 803235 /var/log/maillog syslogd 346 root 5w REG 152,96 808140 803214 /var/log/cron syslogd 346 root 6w REG 152,96 0 803203 /var/log/spooler syslogd 346 root 7w REG 152,96 0 803216 /var/log/boot.log /dev in the LXC is: none on /dev type devtmpfs (rw) I've tried removing /dev/log in the LXC and then restarting syslogd (which recreates /dev/log) but I still get bleed. Is this a unix socket namespace issue? https://lwn.net/Articles/392006/ On Fri, Apr 10, 2015 at 02:16:40PM +0100, Daniel P. Berrange wrote:
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
Hello,
I'm seeing syslog messages "bleed" from the host and other LXC into the messages, maillog, secure logs of other LXCs.
I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. Each LXC is running an older non-systemd linux distribution
Is this a known issue? Is there a work around?
There is no syslog separation in the kernel namespaces. Libvirt does not even create /dev/log device in the container by default. So I'm curious how you've configured the guest - could be something missing that allows cross-pollution
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
-- James R. Leu | Director of Technology | INOC | Madison, WI, USA O: +1-608-204-0203 | F: +1-608-663-4558 | jleu@inoc.com | www.inoc.com Service. Not Software.®
participants (3)
-
Daniel P. Berrange -
James Leu -
Sven Schwedas