Remove default rlimit-nproc=3

By default, avahi-daemon.conf configures rlimit-nproc=3 to limit the number of processes running to 3. In some cases, this would prevent avahi from starting within a container. It is presumed this was an attempt to limit attack vectors or Denial of Service potential of an exploited bug in Avahi. A problem arises (avahi fails to launch) when the same UID is re-used on the system, such as containers without UID remapping also running avahi. In particular, setting security.privileged=true on LXD containers causes this behavior and avahi will fail to launch in containers because the total number of processes under the avahi UID on the system exceeds 3. We comment out the default rlimit-nproc=3 setting from avahi-daemon.conf and update the relevant manpage with this information. (Closes: #97) References: https://bugs.launchpad.net/maas/+bug/1661869 https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html lxc/lxc#25
avahi · Feb 5, 2017 · 537371c · 537371c
1 parent 98b881d
commit 537371c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/avahi-daemon/avahi-daemon.conf b/avahi-daemon/avahi-daemon.conf
@@ -65,4 +65,4 @@ rlimit-data=4194304
 rlimit-fsize=0
 rlimit-nofile=768
 rlimit-stack=4194304
-rlimit-nproc=3
+#rlimit-nproc=3
diff --git a/man/avahi-daemon.conf.5.xml.in b/man/avahi-daemon.conf.5.xml.in
@@ -360,10 +360,18 @@
       <p><opt>rlimit-stack=</opt> Value in bytes for RLIMIT_STACK (maximum size of the process stack). Sensible values are heavily system dependent.</p>
     </option>
 
-    <option>
-      <p><opt>rlimit-nproc=</opt> Value for RLIMIT_NPROC (number of process of user). avahi-daemon forks of a helper process on systems where <manref name="chroot" section="2"/> is available. Therefore this value should not be set below 2.</p>
-    </option>
-
+		<option>
+			<p><opt>rlimit-nproc=</opt> Value for RLIMIT_NPROC (max number of
+				processes a user can launch). avahi-daemon forks of a helper process on
+				systems where <manref name="chroot" section="2"/> is available
+				therefore this value should not be set below 2. Note that while the
+				process limit only applies to this process, the total count of
+				processes to reach that limit includes all processes on the system with
+				the same UID, including any containers without UID remapping (such as
+				lxd containers with security.privileged=true).  The default
+				configuration of 3 was removed to prevent problems in this
+				scenario.</p>
+		</option>
   </section>
 
   <section name="Authors">