[Users] syslog-ng unable to read /proc/kmsg on 2.6.32-042stab076.5

Mon Apr 22 15:30:10 EDT 2013

On 04/20/2013 08:16 AM, Frank Myhr wrote:
> (Replying to self):
>
> Work-around is to start syslog-ng with --no-caps. On Debian / Ubuntu, 
> this line should be in /etc/default/syslog-ng (make sure it's not 
> commented out):
> SYSLOGNG_OPTS="--no-caps"
>
> I still think it's not ideal for CAP_FS_FREEZE to share the same 
> capability bit as CAP_SYSLOG. Guess I'll file a kernel bug and see 
> what the devs say.
>
>
>
> On 04/18/2013 12:11 PM, Frank Myhr wrote:
>> Hi,
>>
>> I have an AMD64 node that runs Ubuntu 12.04 LTS and syslog-ng. After 
>> updating the kernel from 2.6.32-042stab072.10 to 2.6.32-042stab076.5
>> syslog-ng is unable to read /proc/kmsg:
>>
>> # /etc/init.d/syslog-ng start
>>   * Starting system logging syslog-ng
>> Error opening file for reading; filename='/proc/kmsg', 
>> error='Operation not permitted (1)'
>> Error initializing source driver; source='kernel', id='kernel#0'
>> Error initializing message pipeline;
>>
>> File permission remains 0400, which works with other kernels:
>>
>> # ls -l /proc/kmsg
>> -r-------- 1 root root 0 Apr 18 11:28 /proc/kmsg
>>
>> I temporarily commented out the syslog-ng configuration that attempts 
>> to read /proc/kmsg:
>> #source "kernel" { file("/proc/kmsg" program_override("kernel")); };
>>
>> syslog-ng then starts up fine. Looking at its capabilities:
>>
>> # cat /proc/14768/status
>> ...
>> CapInh: 0000000000000000
>> CapPrm: fffffffbffffffff
>> CapEff: fffffffbffffffff
>> CapBnd: fffffffbffffffff
>> ...
>>
>> I notice that bit 34 is zero. This is also true of the init (upstart) 
>> process:
>>
>> # cat /proc/1/status
>> ...
>> CapInh: 0000000000000000
>> CapPrm: fffffffbffffffff
>> CapEff: fffffffbfffffeff
>> CapBnd: fffffffbffffffff
>> ...
>>
>> Looking in patch-042stab076 from the kernel source, I see:
>> +#define CAP_FS_FREEZE        34
>>
>> But since mainline kernel 2.6.38 or so we have CAP_SYSLOG which is 
>> also bit 34. I don't fully understand which of the kernel, init, libcap,
>> and syslog-ng request and grant/deny access to /proc/kmsg. But I 
>> suspect that a collision between CAP_FS_FREEZE and CAP_SYSLOG is 
>> preventing
>> syslog-ng from reading /proc/kmsg on 2.6.32-042stab076.5. I see that 
>> CAP_FS_FREEZE is new since 2.6.32-042stab072.10, on which syslog-ng
>> works fine:
>>
>> $ grep -i "cap_fs_freeze" patch-042stab072
>> $
>>
>> Would appreciate any help or insight:
>> * Do you think this is a kernel bug or something else?
>> * Any work-around to get syslog-ng to log kernel messages?
>>

We have fixed that in 042stab077.7 kernel, which is now released, please 
give it a try.

Kir.