-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avahi-daemon fails to start inside debian squeeze lxc container #25
Comments
Since there is a fork you might want to consider to use "strace -f". |
Agreed, without -f it's impossible to know exactly what failed. |
Closing, no response in over two months. |
avahi's error is misleading. Here is the failure according to strace: clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2419774a10) = -1 EAGAIN (Resource temporarily unavailable) |
When I hack avahi-daemon/caps.c to keep CAP_SYS_RESOURCE, then avahi works. I can't yet explain why this only happens in a container. |
Ok, the reason it fails is that avahi user in the container is the same as a uid already in use on the host. avahi is very strict about setting limit for number of tasks to precisely what it wants. So in mycase, it was set to 104, which was ntp on the host, and ntpd was already running. I change the container avahi's userid to 99104, did chown -R avahi /var/run/avahi-daemon (i guess no tnecessary) and rebooted. THen avahi came up. |
So I'm not sure how best to fix this. There's no way for the container to know what uids won't be in use on the host or another container. The best it could do would be to check whether any tasks are currently running as the uid. We could globally assign a unique uid for avahi - but then avahi in multiple containers will fail. We could hack avahi to be more lenient, allowing, say, 100 tasks. We could make avahi more verbose when it fails this way, so at least the user can try again with a new uid. |
So the simplest way to fix this, I would think, for automated installations, would be to something like x=$((9000 + RANDOM % 1000)) before installing avahi-daemon. |
To be clear, the only real solution to this is to run the container in a user namespace. |
One other trivial workaround is to remove 'rlimit-nproc = 3' from /etc/avahi/avahi-daemon.conf |
introduce CloneOptions
It seems as if the uid used by avahi conflicts with the uids used on the docker host. This fix was applied in this bugreport: lxc/lxc#25 It seemed to solve the problem for me
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Add libcap dependency Fix rlimit-related issue: see lxc/lxc#25 (comment)
By default, avahi-daemon.conf configures rlimit-nproc=3 to limit the number of processes running to 3. In some cases, this would prevent avahi from starting within a container. It is presumed this was an attempt to limit attack vectors or Denial of Service potential of an exploited bug in Avahi. A problem arises (avahi fails to launch) when the same UID is re-used on the system, such as containers without UID remapping also running avahi. In particular, setting security.privileged=true on LXD containers causes this behavior and avahi will fail to launch in containers because the total number of processes under the avahi UID on the system exceeds 3. We comment out the default rlimit-nproc=3 setting from avahi-daemon.conf and update the relevant manpage with this information. (Closes: #51) References: https://bugs.launchpad.net/maas/+bug/1661869 https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html lxc/lxc#25
By default, avahi-daemon.conf configures rlimit-nproc=3 to limit the number of processes running to 3. In some cases, this would prevent avahi from starting within a container. It is presumed this was an attempt to limit attack vectors or Denial of Service potential of an exploited bug in Avahi. A problem arises (avahi fails to launch) when the same UID is re-used on the system, such as containers without UID remapping also running avahi. In particular, setting security.privileged=true on LXD containers causes this behavior and avahi will fail to launch in containers because the total number of processes under the avahi UID on the system exceeds 3. We comment out the default rlimit-nproc=3 setting from avahi-daemon.conf and update the relevant manpage with this information. (Closes: #97) References: https://bugs.launchpad.net/maas/+bug/1661869 https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html lxc/lxc#25
FWIW, I've adapted this to something that's guaranteed not to conflict by creating a user on the host system first: $ sudo useradd -r avahi-$LXC_NAME # rely on -r to provide a unique UID in 0-1000 range and not create a homedir... |
without it we hit lxc/lxc#25 and most particularly avahi/avahi#97 Signed-off-by: Niv Sardi <xaiki@evilgiggle.com>
Your right, this fixes the issue! |
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-Core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It sometimes fails to run avahi with error: "Could not receive return value from daemon process". It has same root cause with lxc/lxc#25. Backport patch to fix this issue. (From OE-Core rev: a901956968127b2eb5911d7b91f44fca46e30b25) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Inside ubuntu containers
avahi-daemon
starts correctly. Inside real squeeze VMsavahi-daemon
also starts correctly.My host is
Ubuntu 12.04
Here is
strace
output:The text was updated successfully, but these errors were encountered: