Re: [Users] syslog-ng unable to read /proc/kmsg on 2.6.32-042stab076.5

[Frank Myhr]

(Replying to self):

Work-around is to start syslog-ng with --no-caps. On Debian / Ubuntu, this line should be in /etc/default/syslog-ng (make sure it's not 
commented out):
SYSLOGNG_OPTS="--no-caps"
I still think it's not ideal for CAP_FS_FREEZE to share the same capability bit as CAP_SYSLOG. Guess I'll file a kernel bug and see what the 
devs say.



On 04/18/2013 12:11 PM, Frank Myhr wrote:
Hi,

I have an AMD64 node that runs Ubuntu 12.04 LTS and syslog-ng. After updating 
the kernel from 2.6.32-042stab072.10 to 2.6.32-042stab076.5
syslog-ng is unable to read /proc/kmsg:

# /etc/init.d/syslog-ng start
  * Starting system logging syslog-ng
Error opening file for reading; filename='/proc/kmsg', error='Operation not 
permitted (1)'
Error initializing source driver; source='kernel', id='kernel#0'
Error initializing message pipeline;

File permission remains 0400, which works with other kernels:

# ls -l /proc/kmsg
-r-------- 1 root root 0 Apr 18 11:28 /proc/kmsg

I temporarily commented out the syslog-ng configuration that attempts to read 
/proc/kmsg:
#source "kernel" { file("/proc/kmsg" program_override("kernel")); };

syslog-ng then starts up fine. Looking at its capabilities:

# cat /proc/14768/status
...
CapInh: 0000000000000000
CapPrm: fffffffbffffffff
CapEff: fffffffbffffffff
CapBnd: fffffffbffffffff
...

I notice that bit 34 is zero. This is also true of the init (upstart) process:

# cat /proc/1/status
...
CapInh: 0000000000000000
CapPrm: fffffffbffffffff
CapEff: fffffffbfffffeff
CapBnd: fffffffbffffffff
...

Looking in patch-042stab076 from the kernel source, I see:
+#define CAP_FS_FREEZE        34

But since mainline kernel 2.6.38 or so we have CAP_SYSLOG which is also bit 34. 
I don't fully understand which of the kernel, init, libcap,
and syslog-ng request and grant/deny access to /proc/kmsg. But I suspect that a 
collision between CAP_FS_FREEZE and CAP_SYSLOG is preventing
syslog-ng from reading /proc/kmsg on 2.6.32-042stab076.5. I see that 
CAP_FS_FREEZE is new since 2.6.32-042stab072.10, on which syslog-ng
works fine:

$ grep -i "cap_fs_freeze" patch-042stab072
$

Would appreciate any help or insight:
* Do you think this is a kernel bug or something else?
* Any work-around to get syslog-ng to log kernel messages?

Thanks,
Frank
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users