[systemd-devel] Fwd: [systemd-commits] Makefile.am src/bootchart - Make bootcharts go to the journal
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Tue Apr 16 10:16:21 PDT 2013
On Tue, Apr 16, 2013 at 1:47 AM, Colin Guthrie <gmane at colin.guthr.ie> wrote:
> 'Twas brillig, and Kok, Auke-jan H at 16/04/13 00:33 did gyre and gimble:
>> FYI - this is a first pass to putting the bootcharts into the journal,
>> exactly as coredump does. Ultimately, I will probably make bootcharts
>> not go to disk other than the journal by default.
>>
>> A single one-liner can be used to get the latest bootchart automatically:
>>
>> $ journalctl -b MESSAGE_ID=9f26aa562cf440c2b16c773d0479b518
>> --field=BOOTCHART > bootchart.svg
>
> Just out of curiosity, what is the rational behind doing this? I think
> it's really cool that we can store arbitrary things in the journal, but
> I have concerns about storing potentially large stuff in there. The
> bootchart is likely not that big, but especially with coredumps (which
> has patches now thankfully) a small period of "dump frenzy" can fill up
> your logs and cause rotation. This could be exploited at some point in
> the future by an attacker to cover their tracks making you think some
> software had just gone haywire when reviewing your (rotated) journals.
>
> Was there anything particularly wrong or problematic previously with
> writing out to a file? Other than a log of previous boots, what
> advantage does it have to keep them in the journal?
>
> I'm mostly playing devils advocate here. I do kinda like the fact it's
> in there personally, but then I like shiny things.
There's a few reasons why in this case I think it's good:
- bootchart is optional
- the value of comparing bootcharts to previous bootcharts is
extremely high (single bootcharts are of less value unless you can
compare them)
- it compresses well (it's not compressed right now, but it should be
easy to enable compression) and so it doesn't use that much space. My
100 bootcharts compressed from 75M to 5.9M with xz.
- you can only reboot that often. Even on my developer system that I
reboot often I still only had 100 bootcharts between june 2012 and
today (and that system generates a bootchart on every boot by default)
There's also the fact that the journal will rotate things away. If you
don't log persistently, your bootcharts also won't be retained, etc.
Ultimately, we don't want to put more files in /var/log or /run/log at
all, and the journal seems the best place to put things like this.
And that goes for a lot more things too.
Auke
PS: I would love to see a "generic" retreive attachment function to
journalctl - something where we can pre-define attachment types that
are known in an array (coredumps, bootcharts, the likes) and do
something like `journalctl extract --type=all|bootchart|coredump
....`. It seems silly that we have coredumpctl implement this
generically but only for coredumps, and should just live in
journalctl.
More information about the systemd-devel
mailing list