On Sun, 2014-02-16 at 16:45 +0100, Matthias Urlichs wrote: > Hi, > > The Wanderer: > > What is the log flow here? Specifically, does the logged information > > flow from source - that is, from the process generating the message > > which gets logged - to journald and also, separately, from source to > > syslog (presumably in the form of rsyslogd), or does it flow from source > > to journald to syslog? (Or something else? Or am I missing / making an > > assumption that turns this into a stupid question?) > > > Systemd owns the syslog socket and will read+buffer syslog messages. > When journald is started, it'll inherit the /dev/log socket (standard > "socket activation" method), read from that, and forward any messages to > rsyslog-or-whatever. Systemd will also forward any stdout+err file > descriptors to journald by way of sendmsg(), but without keeping them open > itself. > > The fact that PID-1 is not in this loop is good because you can't DoS > systemd that way, but on the other hand it does cause a race condition: > syslog messages which are emitted immediately before a process exits > may not be attributed correctly, because journald can't read the extended > credentials (like the cgroup the process is in) from /proc any more.
Well, there is a proposal to add that to SCM_CREDENTIALS or another auxiliary message that can be received through the socket. Ben. > Disclaimer: this is from observation of systemd-204 on current Debian. > -- Ben Hutchings Any sufficiently advanced bug is indistinguishable from a feature.
signature.asc
Description: This is a digitally signed message part