Skip to content
Permalink
Browse files

Remove default rlimit-nproc=3

By default, avahi-daemon.conf configures rlimit-nproc=3 to limit the
number of processes running to 3.  In some cases, this would prevent
avahi from starting within a container.

It is presumed this was an attempt to limit attack vectors or Denial of
Service potential of an exploited bug in Avahi.

A problem arises (avahi fails to launch) when the same UID is re-used on
the system, such as containers without UID remapping also running avahi.
In particular, setting security.privileged=true on LXD containers causes
this behavior and avahi will fail to launch in containers because the
total number of processes under the avahi UID on the system exceeds 3.

We comment out the default rlimit-nproc=3 setting from avahi-daemon.conf
and update the relevant manpage with this information. (Closes: #97)

References:
https://bugs.launchpad.net/maas/+bug/1661869
https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html
lxc/lxc#25
  • Loading branch information...
lathiat committed Feb 5, 2017
1 parent 98b881d commit 537371c786479f44882ece3d905a0e5ccda4f0a2
Showing with 13 additions and 5 deletions.
  1. +1 −1 avahi-daemon/avahi-daemon.conf
  2. +12 −4 man/avahi-daemon.conf.5.xml.in
@@ -65,4 +65,4 @@ rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=768
rlimit-stack=4194304
rlimit-nproc=3
#rlimit-nproc=3
@@ -360,10 +360,18 @@
<p><opt>rlimit-stack=</opt> Value in bytes for RLIMIT_STACK (maximum size of the process stack). Sensible values are heavily system dependent.</p>
</option>

<option>
<p><opt>rlimit-nproc=</opt> Value for RLIMIT_NPROC (number of process of user). avahi-daemon forks of a helper process on systems where <manref name="chroot" section="2"/> is available. Therefore this value should not be set below 2.</p>
</option>

<option>
<p><opt>rlimit-nproc=</opt> Value for RLIMIT_NPROC (max number of
processes a user can launch). avahi-daemon forks of a helper process on
systems where <manref name="chroot" section="2"/> is available
therefore this value should not be set below 2. Note that while the
process limit only applies to this process, the total count of
processes to reach that limit includes all processes on the system with
the same UID, including any containers without UID remapping (such as
lxd containers with security.privileged=true). The default
configuration of 3 was removed to prevent problems in this
scenario.</p>
</option>
</section>

<section name="Authors">

0 comments on commit 537371c

Please sign in to comment.
You can’t perform that action at this time.