avahi-daemon fails to start inside unpriviledged lxd container

[iteco]

I used plain ubuntu 16.04 server to make lxd containers (lxc launch ubuntu:16.04 ) where I installed lxde. First container was working fine, but in second I got problems with avahi, "apt install lxde" ended to following errors. It can be also reproduced this way.

Errors were encountered while processing:
 avahi-daemon
 avahi-utils
 libnss-mdns:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)

Digging deeper revealed that
chroot.c: fork() failed: Resource temporarily unavailable
avahi-daemon: failed to start chroot() helper daemon.

As described also in
https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html
https://bugzilla.redhat.com/show_bug.cgi?id=1203731

I looked around and found similar issue
lxc/lxc#25
but it was closed four years ago as there was not enough information.. however, it looks to be still referenced and updated frequently. Will it be solved and closed (again) one day(?)

I also found
https://bugs.launchpad.net/maas/+bug/1661869 (comment#1)
but from there I understand the it should work on unprivileged containers (what I am using), so I am taking this up here.

Should it work ?
If not, why processes of one guest will limit process of other guest ?
(I have thought that unprivileged containers isolated from each others)

--
I looked also a work-a-round for this issue, and finding out bit more about rlimit-nproc value

avahi/avahi#97
says that nproc limit is for security and perhaps not so useful there either

https://blog.dbi-services.com/linux-how-to-monitor-the-nproc-limit-1/
recommends to set nproc value to 16K for oracle server

https://loune.net/2011/02/avahi-setrlimit-nproc-and-lxc/
and this says to remove the limit fully

I ended up setting nproc value (/etc/avahi/avahi-daemon.conf) in lxd guests from 3 to 30 and managed to get my avahi working.

I wrote my work-a-round here in case it would help somebody else, and also in the hope that somebody that would understand more about the issue could comment that is this a solid workaround.

--
Used environment on host
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

lxc info
driver: lxc
driverversion: 2.0.7
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.4.0-62-generic
server: lxd
serverversion: 2.0.9

[ardevd]

So all you did was set the nproc value to 30? I did just that but still cant start the avahi-daemon.

[stgraber]

rlimits as used by systemd are tied to kernel uid/gid and aren't namespace aware, so they do cross container boundary and affect other containers, whether those containers are privileged or not.

One way around the problem is to tell avahi not to set the rlimit.

Another way around the problem is to have a different uid/gid allocation per container which with LXD is done by first increasing the id range in /etc/subuid and /etc/subgid, then restart the LXD daemon and lastly setting the security.idmap.isolated property to true.

Each container will then get their own 65536 non-overlapping uid and gid, effectively making rlimits tied to a given container.

[stgraber]

The reason why people think that avahi will work in an unprivileged container is because unprivileged containers use a different id range from the host.

So out of the box, you can have avahi running on the host and in ONE unprivileged container. But if running more than one unprivileged container, you'll run into the problem unless you're using security.idmap.isolated.