[syslog-ng] help on DNS issue when running syslog-ng chrooted

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Aug 3 05:15:57 CEST 2005


On Tue, 02 Aug 2005 15:28:01 PDT, Arnold Wang said:

> I'm running syslog-ng in chroot mode, followed the instructions in
> http://www.campin.net/syslog-ng/chroot-jail.html. I also enabled DNS
> lookup so I can show the Cisco routers in their friendly names instead
> of IPs. The DNS lookup works fine until I enabled chroot mode. I copied
> "nsswitch.conf" and "resolv.conf" files into $CHROOTDIR/etc as well,
> just in case.

You'll also need any shared libs your syslog-ng binary needs (use ldd to find them),
and probably stuff in $CHROOT/dev as well (dev/null and dev/zero come to mind).

I'm probably missing something here - 'strace -f chroot $CHROOT bin/syslog-ng' will
show you if you're missing anything else...

> BTW, the host is RHEL4 and I set SELinux to "permissive".

'permissive' will probably throw a whole lot of AVC messages unless you label
the contexts for the files in the chroot tree (fortunately, there's hopefully
not a lot, so hand-labelling is probably feasible).  Sorry, the inability to
use 'restorecon' to label a chroot tree is a known deficiency in the current
tools...

Fortunately, in permissive mode, each avc message is only printed once, so you'll
get spammed with a bunch of messages at startup (and probably one/two more logmsgs
for each logfile it opens).

> Will my configuration work? If so, what should I check? Thanks in
> advance for help.

Shared libs.. /dev entries. The strace command I gave should help find
other stuff that's missing.  Good luck. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050802/96b39521/attachment.pgp


More information about the syslog-ng mailing list