[lxc-devel] Running avahi in multiple containers: fork() failed: Resource temporarily unavailable

Matthijs Kooijman matthijs at stdin.nl
Mon Apr 30 15:36:19 UTC 2012 

Hi folks,

I'm trying to run the avahi daemon in my containers, but I'm running
into this error:

    fork() failed: Resource temporarily unavailable

Avahi starts fine in the first container, but starting it in any
subsequent starting attempts result in the above error.

This issue was raised before on lxc-users mailing list [1], where Serge
E. Hallyn said [2]:

> Hmm, you'll need to unshare the user namespace.  Try adding
> CLONE_NEWUSER to the list assigned to clone_flags at
> lxc/src/lxc/start.c line 353.

[1]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00219.html
[2]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00220.html

I've been running with this on change on top of 0.7 for a while without
problems. I just upgraded to 0.8.0~rc1 and ran into this problem again:
Apparently this change did not make it into the git repository yet.

Is this intentional, or was this just an oversight? I can imagine
Serge's suggestion to be a crude fix that should not become the default,
but my lxc-fu is not big enough to really tell :-)

I also tried to add this change to 0.8.0-rc2, but ran into a new
problem. Running lxc-start with the patch below now says:

    lxc-start: Operation not permitted - failed to remove CAP_SYS_BOOT capability

Perhaps unsharing the user namespace removes permission to remove
CAP_SYS_BOOT?

In any case, I'd like to have some way to be able to run avahi in my
containers, without having to locally patch my lxc binaries... Is there
any path forward?

Here's the patch against 0.8.0~rc2 I tried:

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -538,7 +538,7 @@ int lxc_spawn(struct lxc_handler *handler)
        if (lxc_sync_init(handler))
                return -1;
 
-       clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
+       clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
        if (!lxc_list_empty(&handler->conf->network)) {
 
                clone_flags |= CLONE_NEWNET;


Gr.

Matthijs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20120430/f64e8270/attachment.pgp>

More information about the lxc-devel mailing list