Lxd: avahi-daemon fails to start inside unpriviledged lxd container
I used plain ubuntu 16.04 server to make lxd containers (lxc launch ubuntu:16.04
Errors were encountered while processing:
avahi-daemon
avahi-utils
libnss-mdns:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
Digging deeper revealed that
chroot.c: fork() failed: Resource temporarily unavailable
avahi-daemon: failed to start chroot() helper daemon.
As described also in
https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html
https://bugzilla.redhat.com/show_bug.cgi?id=1203731
I looked around and found similar issue
https://github.com/lxc/lxc/issues/25
but it was closed four years ago as there was not enough information.. however, it looks to be still referenced and updated frequently. Will it be solved and closed (again) one day(?)
I also found
https://bugs.launchpad.net/maas/+bug/1661869 (comment#1)
but from there I understand the it should work on unprivileged containers (what I am using), so I am taking this up here.
Should it work ?
If not, why processes of one guest will limit process of other guest ?
(I have thought that unprivileged containers isolated from each others)
--
I looked also a work-a-round for this issue, and finding out bit more about rlimit-nproc value
https://github.com/lathiat/avahi/issues/97
says that nproc limit is for security and perhaps not so useful there either
https://blog.dbi-services.com/linux-how-to-monitor-the-nproc-limit-1/
recommends to set nproc value to 16K for oracle server
https://loune.net/2011/02/avahi-setrlimit-nproc-and-lxc/
and this says to remove the limit fully
I ended up setting nproc value (/etc/avahi/avahi-daemon.conf) in lxd guests from 3 to 30 and managed to get my avahi working.
I wrote my work-a-round here in case it would help somebody else, and also in the hope that somebody that would understand more about the issue could comment that is this a solid workaround.
--
Used environment on host
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
lxc info
driver: lxc
driverversion: 2.0.7
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.4.0-62-generic
server: lxd
serverversion: 2.0.9
iteco
All 3 comments
So all you did was set the nproc value to 30? I did just that but still cant start the avahi-daemon.
ardevd
on 24 Feb 2017
rlimits as used by systemd are tied to kernel uid/gid and aren't namespace aware, so they do cross container boundary and affect other containers, whether those containers are privileged or not.
One way around the problem is to tell avahi not to set the rlimit.
Another way around the problem is to have a different uid/gid allocation per container which with LXD is done by first increasing the id range in /etc/subuid and /etc/subgid, then restart the LXD daemon and lastly setting the security.idmap.isolated property to true.
Each container will then get their own 65536 non-overlapping uid and gid, effectively making rlimits tied to a given container.
stgraber
on 24 Feb 2017
The reason why people think that avahi will work in an unprivileged container is because unprivileged containers use a different id range from the host.
So out of the box, you can have avahi running on the host and in ONE unprivileged container. But if running more than one unprivileged container, you'll run into the problem unless you're using security.idmap.isolated.
stgraber
on 24 Feb 2017
Related issues
purell
路
4Comments
mt-caret
路
3Comments
srkunze
路
3Comments
mlaradji
路
4Comments
fwaggle
路
4Comments
Most helpful comment
The reason why people think that avahi will work in an unprivileged container is because unprivileged containers use a different id range from the host.
So out of the box, you can have avahi running on the host and in ONE unprivileged container. But if running more than one unprivileged container, you'll run into the problem unless you're using security.idmap.isolated.