[Users] syslog-ng unable to read /proc/kmsg on 2.6.32-042stab076.5

Frank Myhr fmyhr at fhmtech.com
Sat Apr 20 11:16:39 EDT 2013


(Replying to self):

Work-around is to start syslog-ng with --no-caps. On Debian / Ubuntu, this line should be in /etc/default/syslog-ng (make sure it's not 
commented out):
SYSLOGNG_OPTS="--no-caps"

I still think it's not ideal for CAP_FS_FREEZE to share the same capability bit as CAP_SYSLOG. Guess I'll file a kernel bug and see what the 
devs say.



On 04/18/2013 12:11 PM, Frank Myhr wrote:
> Hi,
>
> I have an AMD64 node that runs Ubuntu 12.04 LTS and syslog-ng. After updating the kernel from 2.6.32-042stab072.10 to 2.6.32-042stab076.5
> syslog-ng is unable to read /proc/kmsg:
>
> # /etc/init.d/syslog-ng start
>   * Starting system logging syslog-ng
> Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
> Error initializing source driver; source='kernel', id='kernel#0'
> Error initializing message pipeline;
>
> File permission remains 0400, which works with other kernels:
>
> # ls -l /proc/kmsg
> -r-------- 1 root root 0 Apr 18 11:28 /proc/kmsg
>
> I temporarily commented out the syslog-ng configuration that attempts to read /proc/kmsg:
> #source "kernel" { file("/proc/kmsg" program_override("kernel")); };
>
> syslog-ng then starts up fine. Looking at its capabilities:
>
> # cat /proc/14768/status
> ...
> CapInh: 0000000000000000
> CapPrm: fffffffbffffffff
> CapEff: fffffffbffffffff
> CapBnd: fffffffbffffffff
> ...
>
> I notice that bit 34 is zero. This is also true of the init (upstart) process:
>
> # cat /proc/1/status
> ...
> CapInh: 0000000000000000
> CapPrm: fffffffbffffffff
> CapEff: fffffffbfffffeff
> CapBnd: fffffffbffffffff
> ...
>
> Looking in patch-042stab076 from the kernel source, I see:
> +#define CAP_FS_FREEZE        34
>
> But since mainline kernel 2.6.38 or so we have CAP_SYSLOG which is also bit 34. I don't fully understand which of the kernel, init, libcap,
> and syslog-ng request and grant/deny access to /proc/kmsg. But I suspect that a collision between CAP_FS_FREEZE and CAP_SYSLOG is preventing
> syslog-ng from reading /proc/kmsg on 2.6.32-042stab076.5. I see that CAP_FS_FREEZE is new since 2.6.32-042stab072.10, on which syslog-ng
> works fine:
>
> $ grep -i "cap_fs_freeze" patch-042stab072
> $
>
> Would appreciate any help or insight:
> * Do you think this is a kernel bug or something else?
> * Any work-around to get syslog-ng to log kernel messages?
>
> Thanks,
> Frank
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users



More information about the Users mailing list