Hello Gordon, On Thu, 2010-07-01 at 08:54 +0100, Gordon Henderson wrote: > On Thu, 1 Jul 2010, Gordon Henderson wrote: > > > Hi, > > > > I'm experimenting with some iptables inside a container - no real issues > > there, it just works, but I'm a little confused by the logging messages.. > > > > I'm running rsyslogd and the firewall log messages are going where they'd > > normally go (ie. I've not changed any settings there), so normally I see > > them in the output of dmesg and they're stored in /var/log/kern.log (this > > is Debian and the rsyslogd.conf file has: > > > > kern.* -/var/log/kern.log > > > > However the file kern.log seems to be missing a lot of entires that are > > appearing in the output of dmesg. > > > > I don't currently have kernel timestamps turned on, so I can't properly > > correlate dmesg output with the log-files, but I'm just wondering if there > > is anything significant here - anything obvious I'm missing? > > Hm. Following up my own post.. I've just realised the messages are getting > stored in the hosts kern.log file too, so I'm now confused. Is it actually > possible to have per-container syslogs, or should it all be done on the > host? I've no issues with the latter, but there doesn't seem to be a way > to tag them if the host is doing all the logging... (Although since this > is firewall, there are DST=i.p.address entries in the hosts kern.log file, > but that's OK for iptables logging, but not for individual container > sendmail, etc. logging... > > Using Debian stable, kernel 2.6.33.3 and LXC 0.6.5
I have a "Syslog per containers" implementation, it report container iptables logs to the container syslog only. (I do not know if it is done the "state of art" way, but it seems to be working here). See git.safe.ca, head "2.6.34-syslog-4" could be of some interest to you. Head "2.6.35-rc4-syslog-4" is working well too but only for container in x86_64 arch, since 2.6.35, on i386 arch container, network is not responding (packet are lost somewhere) as soon one iptable rule is set (even if the rule say ACCEPT!). On 2.6.34 /sys is not containerized (you see the host /sys/class/net devices), but it is containerized on 2.6.35 (you see own container net devices only)... May be the network problem is related to /sys change. My 2 cents. -- A bientôt ========================================================================== Jean-Marc Pigeon Internet: [email protected] SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946 Clement, 'a kiss solution' to get rid of SPAM (at last) Clement' Home base <"http://www.clement.safe.ca";> ========================================================================== ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
