| View previous topic :: View next topic |
| Author |
Message |
hujuice
Guru
Joined: 16 Oct 2007
Posts: 346
Location: Nicosia, Cyprus
|
 Posted: Wed Dec 22, 2010 11:21 am Post subject: syslog-ng: Error setting capabilities (in OpenVZ) |
 |
|
Hello everybody,
I've an apparently simple syslog-ng problem, but I cannot find an explanation for my knowledge. Googling around, it seems that this is a very unusual problem (but I cannot believe it).
I'm opening this post also to try to produce a story in the Internet.
Here is the reason for my headache  :
| Here is the error message: | intovps ~ # /etc/init.d/syslog-ng start
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
* Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitt [ ok ] |
You can see two things.
1) syslog-ng starts, even after the double error message.
2) I'm in a VPS. More exactly, I'm on a OpenVZ commercial VPS.
At glance, the logger works as expected. My logs are owned as I want.
What am I loosing? How to avoid the error?
Regards,
HUjuice
| syslog-ng.conf: | version: 3.0
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $
# See: http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch08s09.html
options {
# To be explained
chain_hostnames(no);
# Allow the creation of (sub)dirs
create_dirs(yes);
# Files and directories (suppose to have a logger:1021 group)
dir_owner(0);
dir_group(1001);
dir_perm(0770);
owner(0);
group(1001);
perm(0640);
# Wait before write
flush_lines(0);
flush_timeout(10000);
# Do I need statistics?
#stats_freq(0);
# The default action of syslog-ng is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats_freq(43200);
};
# Messaggi del kernel
source s_kern {
file("/proc/kmsg");
};
filter f_kern { facility(kern); };
destination kern { file("/var/log/kern.log"); };
log { source(s_kern); filter(f_kern); destination(kern); };
# Messaggi interni
source s_logger {
internal();
};
destination logger { file("/var/log/syslog-ng.log"); };
log { source(s_logger); destination(logger); };
# Messaggi delle applicazioni
source s_apps {
unix-stream("/dev/log" max-connections(256));
};
destination apps { file("/var/log/apps.log"); };
log { source(s_apps); destination(apps); };
# Log cumulativo di qualsiasi cosa
destination messages { file("/var/log/messages"); };
log {
source(s_kern); source(s_logger); source(s_apps);
destination(messages);
};
# Log specifici per livello
# Emergency
filter f_emerg { level(emerg); };
destination emerg { file("/var/log/emerg.log"); };
log {
source(s_kern); source(s_logger); source(s_apps);
filter(f_emerg);
destination(emerg);
};
# Alert
filter f_alert { level(alert); };
destination alert { file("/var/log/alert.log"); };
log {
source(s_kern); source(s_logger); source(s_apps);
filter(f_alert);
destination(alert);
};
# Critical
filter f_crit { level(crit); };
destination crit { file("/var/log/crit.log"); };
log {
source(s_kern); source(s_logger); source(s_apps);
filter(f_crit);
destination(crit);
};
# Error
filter f_err { level(err); };
destination err { file("/var/log/err.log"); };
log {
source(s_kern); source(s_logger); source(s_apps);
filter(f_err);
destination(err);
};
# Warning
filter f_warn { level(warn); };
destination warn { file("/var/log/warn.log"); };
log {
source(s_kern); source(s_logger); source(s_apps);
filter(f_err);
destination(warn);
};
# Log specifici per alcune applicazioni
# User messages
filter f_user { facility(user); };
destination user { file("/var/log/user.log"); };
log { source(s_apps); filter(f_user); destination(user); };
# Smtp and related
filter f_mail { facility(mail); };
destination mail { file("/var/log/mail.log"); };
log { source(s_apps); filter(f_mail); destination(mail); };
# Services
filter f_daemon { facility(daemon); };
destination daemon { file("/var/log/daemon.log"); };
log { source(s_apps); filter(f_daemon); destination(daemon); };
# Authentications
filter f_auth { facility(auth, authpriv); };
destination auth { file("/var/log/auth.log"); };
log { source(s_apps); filter(f_auth); destination(auth); };
# Print
filter f_lpr { facility(lpr); };
destination lpr { file("/var/log/lpr.log"); };
log { source(s_apps); filter(f_lpr); destination(lpr); };
# Cron
filter f_cron { facility(cron); };
destination cron { file("/var/log/cron.log"); };
log { source(s_apps); filter(f_cron); destination(cron); };
# Local facilities
filter f_local0 { facility(local0); };
destination locals0 { file("/var/log/locals0.log"); };
log { source(s_apps); filter(f_local0); destination(locals0); };
filter f_local1 { facility(local1); };
destination locals1 { file("/var/log/locals1.log"); };
log { source(s_apps); filter(f_local1); destination(locals1); };
filter f_local2 { facility(local2); };
destination locals2 { file("/var/log/locals2.log"); };
log { source(s_apps); filter(f_local2); destination(locals2); };
filter f_local3 { facility(local3); };
destination locals3 { file("/var/log/locals3.log"); };
log { source(s_apps); filter(f_local3); destination(locals3); };
filter f_local4 { facility(local4); };
destination locals4 { file("/var/log/locals4.log"); };
log { source(s_apps); filter(f_local4); destination(locals4); };
filter f_local5 { facility(local5); };
destination locals5 { file("/var/log/locals5.log"); };
log { source(s_apps); filter(f_local5); destination(locals5); };
filter f_local6 { facility(local6); };
destination locals6 { file("/var/log/locals6.log"); };
log { source(s_apps); filter(f_local6); destination(locals6); };
filter f_local7 { facility(local7); };
destination locals7 { file("/var/log/locals7.log"); };
log { source(s_apps); filter(f_local7); destination(locals7); }; |
| syslog-ng version: | intovps ~ # equery list syslog-ng
[ Searching for package 'syslog-ng' in all categories among: ]
* installed packages
[I--] [ ] app-admin/syslog-ng-3.1.2 (0) |
| syslog-ng use flags: | intovps ~ # equery uses syslog-ng
[ Searching for packages matching syslog-ng... ]
[ Colour Code : set unset ]
[ Legend : Left column (U) - USE flags from make.conf ]
[ : Right column (I) - USE flags packages was installed with ]
[ Found these USE variables for app-admin/syslog-ng-3.1.2 ]
U I
+ + caps : Use Linux capabilities library to control privilege
- - hardened : activate default security enhancements for toolchain (gcc, glibc, binutils)
- - ipv6 : Adds support for IP version 6
+ + pcre : Adds support for Perl Compatible Regular Expressions
- - selinux : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
- - spoof-source : Enable support for spoofed source addresses
- - sql : Enable support for SQL destinations
+ + ssl : Adds support for Secure Socket Layer connections
- - static : !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
+ + tcpd : Adds support for TCP wrappers |
| My 'special' kernel and arch: | intovps ~ # uname -mr
2.6.18-194.26.1.el5.028stab070.14xen x86_64 |
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
 |
Balage
n00b
Joined: 10 Jan 2008
Posts: 18
Location: Hungary
|
| Posted: Mon Jan 17, 2011 1:29 pm Post subject: |
|
|
It may be possible that linux capabilities is disabled in the host's kernel.
Check for:
Security options
[*] Enable different security models
[*] Default Linux Capabilities |
|
| Back to top |
|
|
hujuice
Guru
Joined: 16 Oct 2007
Posts: 346
Location: Nicosia, Cyprus
|
| Posted: Mon Jan 17, 2011 8:15 pm Post subject: |
|
|
| Balage wrote: | | It may be possible that linux capabilities is disabled in the host's kernel. |
It "almost" so.
The OpenVZ kernel is a special kernel. Its latest stable version is 2.6.18.
My given kernel is generally rich, but the full support for capabilities is from >=2.6.24 kernels (see http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html). So, I've surely something less than a new kernel.
This is the theory. But I'm unable to understand more.
In facts, I still have that error and my files are still owned as I want.
Thanks for the answer, Balage.
Regards,
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
