PostgreSQL logging in Jail

P

perkypork

I am running PostgreSQL 9.4.1 in a jail and would like to configure logging. The host has
Code: 
syslogd_flags="-ss"
set in rc.conf. Normally I would use syslog(3) for PostgreSQL logging.

I am sure there is a simple way to configure logging on Postgres inside a jail but since this is the first time I have done it, I am unsure how to configure it. Any help would be much appreciated.
 
Assuming you want jails to log to the host, you would want to allow the host to log from the network. The -ss flags won't here. The following should be sufficient assuming the address is set to the host.

On the host:
/etc/rc.conf
Code: 
syslogd_flags="-b 192.168.1.100:syslog"

On the jail:
/etc/syslog.conf
Code: 
# log everything to host
*.*  @192.168.1.100
# log just Postgres default of local0
# see http://www.postgresql.org/docs/9.4/static/runtime-config-logging.html
local0.*  @192.168.1.100
 
junovitch, thank you!

I am not 100% sure what I am looking at though. I am excited that you have shown me that its possible to do all logging from within the jails to the base system, makes admin much easier. Can you explain what this means please:
Code: 
syslogd_flags="-b 192.168.1.100:syslog"
 
See syslogd(8) for more details. Basically, the default -s flags prevent logging from the network and the double -ss prevents that along with prevents even opening a network socket. By removing that and specifying an address to bind to with -b it allows logging from the network, hence logging from the jail. The best practice here when it comes to jails is to give the address of the host otherwise it will respond on all addresses. That could be confusing when you send something to the jails address but it's the host that acts on it.
 
junovitch - Sorry I have not come back to this issue in a while. As you would know (because you have been helping me) I have been working on getting my Jails configured properly. I will be coming back to this soon.
 
junovitch@ - I am back to deal with this issue now. Sorry for the long delay and thank you for helping me with this initially.

To better explain my infrastructure, I have the host server on a public IP with a local host address and the Jails have a single public IP each, no local host address. The Jails cannot access the host server at all and there is no local network to use. I am using ezjails to manage the jails. What configuration changes would I need to make to allow the above configuration you recommended work? The changes are probably very simple but I am being doubly cautious to make sure I do not create any security issues.

I should say that I would like to be able to have multiple PostgreSQL jails on the same host if possible.
 
The same advise is still valid. By default the jails can access the host as this communication will take place over the lo0 loopback interface. By default, each interface's IP address will create a route on lo0 and this can be seen with netstat -nr. Assuming the default configuration, this should just work. If a firewall is in place, ensure that filtering on the loopback either allows it or the loopback interface is skipped all together.

Local host address goes here
/etc/rc.conf
Code: 
syslogd_flags="-b 192.168.1.100:syslog"

PostgreSQL will still log to the local host address of the main host.
/etc/syslog.conf
Code: 
# log everything to host
*.*  @192.168.1.100
# log just Postgres default of local0
# see http://www.postgresql.org/docs/9.4/static/runtime-config-logging.html
local0.*  @192.168.1.100
 
Thank you for this. I appreciate your patience with me.

Just to clarify, you are saying that even if I set the host to listen to its public IP for syslog traffic, the traffic will go via the lo0 interface when sent from a Jail on the Host?

So I would set the host /etc/rc.conf to be

Code: 
syslogd_flags="-b host.pub.lic.ip:syslog"

Postgres Jail /etc/syslog.conf

Code: 
local0.* @host.pub.lic.ip

Is there a way to get the host server listening to multiple IPs? I did a search for this and best I could work out is its not possible to bind to multiple addresses.
 
Yes, just do this in your /etc/rc.conf.
Code: 
syslogd_flags=""

Now this will override the default -s flags passed in /etc/defaults/rc.conf and your syslogd(8) will be listening on all IP address. In this case, even if a jail is set to log to @127.0.0.1 or any other IP address, it will find its way to the host. Keep in mind this can get very confusing if you ever have anything else use 514 in a jail as the behaviour when the jail is running versus when it is not will change which service is getting the traffic.
 
You must log in or register to reply here.
Back
Top