[Devel] Re: iptables in container, wrong log destination, need pointer

Serge E. Hallyn serue at us.ibm.com
Thu Feb 11 09:51:10 PST 2010


Quoting Jean-Marc Pigeon (jmp at safe.ca):
> Hello,
> 
> 
> 	I have containerized syslog, such each container has its
> 	own syslog.
> 
> 	Container can have their own set of iptables rules.
> 	
> 	I was expecting CONT: iptables log report to be
> 	send to the CONT: syslog, which is not the case,
> 	they are rather sent to HOST: syslog.
> 
> 	This means to me, iptables rules are containerized,
> 	but the execution is NOT (CONT: rules are checked
> 	within the HOST: context, not the CONT: context).
> 
> 	Could somebody give me hint where I should look
> 	in the code, to have a better understanding about
> 	what is happening?

Again, printk can be called from any context, so you can't
rely on 'current'.  But you are relying on current in
emit_log_char() to get the syslog_ns.  That is why you're
getting that.

You're going to have to keep a separate container_printk
(nsprintk) which is called with a syslog_ns.  Then in
functions where you know you can determine the syslog_ns,
you can call that fn instead of printk and pass the ns.

Note that since iptables printks are happening out of
context, this means yet another problem: you'll need to
have a way to get the syslog_ns from the netns, which
I suspect is the only thing can track at that point.

-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list