This appears to be coming from /etc/logrotate.d/syslog-ng, specifically this stanza:
/var/log/syslog {
rotate 7
daily
compress
delaycompress
postrotate
/usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
endscript
}
The part that causes the message is the postrotate syslog-ng reload,
which also happens when you do a /etc/init.d/syslog-ng start:
# /etc/init.d/syslog-ng start
Starting system logging: syslog-ngsyslog-ng: Error setting file number limit;
limit='4096'; error='Operation not permitted'
The initscript is doing this when it happens:
+ start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng --pidfile
/var/run/syslog-ng.pid -- -p /var/run/syslog-ng.pid
syslog-ng: Error setting file number limit; limit='4096'; error='Operation not
permitted'
i can do this by hand and get the same result, it also happens if I
remove start-stop-daemon from the picture:
# /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
syslog-ng: Error setting file number limit; limit='4096'; error='Operation not
permitted'
Using strace, I see it happening:
setrlimit(RLIMIT_NOFILE, {rlim_cur=4*1024, rlim_max=4*1024}) = -1 EPERM
(Operation not permitted)
write(2, "syslog-ng: Error setting file nu"..., 90syslog-ng: Error setting file
number limit; limit='4096'; error='Operation not permitted'
) = 90
According to syslog-ng(8):
--fd-limit
Set the minimal number of required file descriptors (fd-s); this
sets how many files syslog-ng can keep open simultaneously. Default
value: 4096. Note that this does not override the global ulimit
setting of the host.
I'm willing to bet that 'ulimit -n' shows 1024, and that inside your
vserver environment, you do not have the kernel capabilities to adjust
ulimit settings. According to capabilities(7), you need the
CAP_SYS_RESOURCE capability in order to increase resource limits
I believe you can change these limits per context
(http://linux-vserver.org/Resource_Limits), or you can add the
CAP_SYS_RESOURCE capability to the context (edit the vserver
configuration file (/etc/vservers/*.conf) and modify the S_CAPS line
like this: S_CAPS="CAP_SYS_RESOURCE"
(cf. http://linux-vserver.org/util-vserver:Capabilities_and_Flags).
However, giving any capabilities beyond the default set can be
considered a (sometimes severe) reduction in guest security (i.e. you
are handing over control to host specific parts which can be used either
for DoS or in most cases direct control over host specific entities).
So I think the best way to solve this is either the cgroup facility in
vservers (I'm not sure how to do that), or by simply setting
/etc/default/syslog-ng to have this:
# Command line options to syslog-ng
SYSLOGNG_OPTS="--fd-limit 1024"
pgpeB5T1P6ib6.pgp
Description: PGP signature
