LxcSyslogNs
Describe LxcSyslogNs here.
This page is a temporary place to gather information for the design of a syslog namespace, which is needed for lxc, and in particular called out by this blueprint: https://blueprints.launchpad.net/ubuntu/+spec/servercloud-r-lxc .
Syslog ns has been discussed before on the containers mailing list. I believe the general design decisions spelled out here:
http://lists.linuxfoundation.org/pipermail/containers/2010-February/022848.html
are still the way to go.
As we don't have clone bits to spare, we need to find a new way to unshare a syslog ns. Someone recently suggested simply using a new syslog(2) command. I think that seems reasonable.
The user and network namespaces will point to a syslog namespace.
Unsharing a syslog namespace requires CAP_SYSLOG against current user ns. So creating a full container would consist of:
#define SYSLOG_NEWNS 11 child_fn() {
- cmd = syslog(SYSLOG_NEWNS);
} main() { container_init = clone(CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET | ..., child_fn) }
This works because after cloning a new user namespace, you have full capabilities in your new userns.
printk by default will continue to be targeted at the init_user_ns. Most things we print out from the kernel should in fact go to the host's syslog.
for printks which we want to see in the container, a new nsprintk (which is wrapped by printk) will accept a target syslog_ns.
LxcSyslogNs (last edited 2012-11-06 17:19:33 by serge-hallyn)