[Devel] Re: iptables in container, wrong log destination, need pointer
Serge E. Hallyn
serue at us.ibm.com
Thu Feb 11 09:51:10 PST 2010
Quoting Jean-Marc Pigeon (jmp at safe.ca):
> Hello,
>
>
> I have containerized syslog, such each container has its
> own syslog.
>
> Container can have their own set of iptables rules.
>
> I was expecting CONT: iptables log report to be
> send to the CONT: syslog, which is not the case,
> they are rather sent to HOST: syslog.
>
> This means to me, iptables rules are containerized,
> but the execution is NOT (CONT: rules are checked
> within the HOST: context, not the CONT: context).
>
> Could somebody give me hint where I should look
> in the code, to have a better understanding about
> what is happening?
Again, printk can be called from any context, so you can't
rely on 'current'. But you are relying on current in
emit_log_char() to get the syslog_ns. That is why you're
getting that.
You're going to have to keep a separate container_printk
(nsprintk) which is called with a syslog_ns. Then in
functions where you know you can determine the syslog_ns,
you can call that fn instead of printk and pass the ns.
Note that since iptables printks are happening out of
context, this means yet another problem: you'll need to
have a way to get the syslog_ns from the netns, which
I suspect is the only thing can track at that point.
-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list