Hello, I'm seeing syslog messages "bleed" from the host and other LXC into the messages, maillog, secure logs of other LXCs. I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. Each LXC is running an older non-systemd linux distribution Is this a known issue? Is there a work around? Thank you for you time, Jim -- James R. Leu | Director of Technology | INOC | Madison, WI, USA O: +1-608-204-0203 | F: +1-608-663-4558 | jleu@inoc.com | www.inoc.com Service. Not Software.®
Daniel P. Berrange
2015-Apr-10 13:16 UTC
Re: [libvirt-users] LXC and syslog seperation (/dev/log)
On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:> Hello, > > I'm seeing syslog messages "bleed" from the host and other LXC into > the messages, maillog, secure logs of other LXCs. > > I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. > Each LXC is running an older non-systemd linux distribution > > Is this a known issue? Is there a work around?There is no syslog separation in the kernel namespaces. Libvirt does not even create /dev/log device in the container by default. So I'm curious how you've configured the guest - could be something missing that allows cross-pollution Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Sven Schwedas
2015-Apr-10 14:13 UTC
Re: [libvirt-users] LXC and syslog seperation (/dev/log)
On 2015-04-10 15:16, Daniel P. Berrange wrote:> On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote: >> Hello, >> >> I'm seeing syslog messages "bleed" from the host and other LXC into >> the messages, maillog, secure logs of other LXCs. >> >> I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10. >> Each LXC is running an older non-systemd linux distribution >> >> Is this a known issue? Is there a work around? > > There is no syslog separation in the kernel namespaces. Libvirt does > not even create /dev/log device in the container by default. So I'm > curious how you've configured the guest - could be something missing > that allows cross-pollutionI suspect bind-mounting the host's /dev/ – it's a common suggestion I've seen in chrooting tutorials.> > Regards, > Daniel >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167 http://software.tao.at
Hello Daniel,
Thank you for your response.
Here is a sample LXC config
<domain type='lxc'>
<name>foo0</name>
<uuid>c070385f-1aa0-4a4f-ab03-8cabe03a9c0b</uuid>
<memory unit='KiB'>4194304</memory>
<currentMemory unit='KiB'>4194304</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='i686'>exe</type>
<init>/sbin/init-lxc</init>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/libvirt_lxc</emulator>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/home/foo0/root'/>
<target dir='/'/>
</filesystem>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/home/foo0/archive'/>
<target dir='/archive'/>
</filesystem>
<interface type='bridge'>
<source bridge='br112'/>
</interface>
<interface type='bridge'>
<source bridge='br113'/>
</interface>
<interface type='bridge'>
<source bridge='br114'/>
</interface>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
Here is a portion of LSOF from syslogd running in the LXC
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslogd 346 root cwd DIR 152,96 4096 2 /
syslogd 346 root rtd DIR 152,96 4096 2 /
syslogd 346 root txt REG 152,96 34025 499860 /sbin/syslogd
syslogd 346 root mem REG 152,96 34025 499860 /sbin/syslogd
syslogd 346 root 0u unix 0xffff8808246bb740 1439616359 /dev/log
syslogd 346 root 2w REG 152,96 112506 803231
/var/log/messages
syslogd 346 root 3w REG 152,96 0 803227
/var/log/secure
syslogd 346 root 4w REG 152,96 1364785 803235
/var/log/maillog
syslogd 346 root 5w REG 152,96 808140 803214 /var/log/cron
syslogd 346 root 6w REG 152,96 0 803203
/var/log/spooler
syslogd 346 root 7w REG 152,96 0 803216
/var/log/boot.log
/dev in the LXC is:
none on /dev type devtmpfs (rw)
I've tried removing /dev/log in the LXC and then restarting syslogd
(which recreates /dev/log)
but I still get bleed.
Is this a unix socket namespace issue?
https://lwn.net/Articles/392006/
On Fri, Apr 10, 2015 at 02:16:40PM +0100, Daniel P. Berrange
wrote:> On Fri, Apr 10, 2015 at 08:09:58AM -0500, James Leu wrote:
> > Hello,
> >
> > I'm seeing syslog messages "bleed" from the host and
other LXC into
> > the messages, maillog, secure logs of other LXCs.
> >
> > I'm using libvirt 1.0.0 on a host with systemd and kernel 3.9.10.
> > Each LXC is running an older non-systemd linux distribution
> >
> > Is this a known issue? Is there a work around?
>
> There is no syslog separation in the kernel namespaces. Libvirt does
> not even create /dev/log device in the container by default. So I'm
> curious how you've configured the guest - could be something missing
> that allows cross-pollution
>
> Regards,
> Daniel
> --
> |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/
:|
> |: http://libvirt.org -o- http://virt-manager.org
:|
> |: http://autobuild.org -o- http://search.cpan.org/~danberr/
:|
> |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc
:|
--
James R. Leu | Director of Technology | INOC | Madison, WI, USA
O: +1-608-204-0203 | F: +1-608-663-4558 | jleu@inoc.com | www.inoc.com
Service. Not Software.®