I have a pretty old LXC configuration, with kernel 2.6.32 and LXC 0.7. The problem is I wasn't able to make all syslog-ng instances in both host and containers work. The syslog-ng daemon is running, however isn't writing anything to log files.

The culprit is the /dev/log UNIX socket.

The syslog in UNIX system is running in client/server mode:

• client is the syslog() interface in glibc. syslog() connects to socket /dev/log and send messages via the socket.
• and server is the listener of socket /dev/log, such as syslog-ng, rsyslog.

1. ulimit and rlimit

Literally, ulimit is per user resource limit, such like the total process number allowed to spawn, and the total number of file allowed to open etc. In Linux, user delegates process to apply system resource. To understand ulimit, one must get clear idea of rlimit of process.

The definition of rlimit:

1
2
3
4

struct rlimit {
    rlim_t rlim_cur;  /* Soft limit */
    rlim_t rlim_max;  /* Hard limit (ceiling for rlim_cur) */
};

rlimit structure is used to describe resource limit of process (not accurate actually, will explain later). rlim_cur is current active limit and rlim_max is the ceiling value of rlim_cur.