Skip to main content

Logging in LXC

Logging

One problem you'llI runran into is that access to kernel logging is limited or unavailable from inside of a LXC container. For some usecases (like netfilter's LOG actionaction) any logging that happens in a LXC container will be blackholed and recordnot recorded anywhere without a change on the host. Most often the solution to these permission/security problems is to find a way to allow access to these things from userspace.

ulogd2

YouI can use ulogd2 to solvesolved the netfilter LOG problem by simply using ulogd2 to replace kernel logging with userspace logging. After installing and configuring ulogd2 I just replacereplaced any references to LOG with NFLOG in yourmy netfilter/iptables rules. Don't worry if this doesn't make sense right now I'll talk about this more in the Firewall Setup section.

ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting.

Installation

apt install ulogd2

Configuration

To get the output youI wantwanted youI shouldhad to edit the ulogd2 config…

# /etc/ulogd2.conf
- stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
...
+ stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
+ stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
+ stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
+ 
+ [firewall]
+ file="/var/log/ulog/firewall.log"
+ sync=1

Connection Tracking

Similarly to netfilter logging,logging connection tracking in a LXC container is more limited due to not having access to the host's /proc/ filesystem. But youI can install conntrack to provide a way to see connection tracking from userspace.

conntrack

The conntrack utilty provides a full featured userspace interface to the Netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.

Installation

apt install conntrack