[lxc-devel] Running avahi in multiple containers: fork() failed: Resource temporarily unavailable

Serge Hallyn serge.hallyn at canonical.com
Mon Apr 30 16:42:56 UTC 2012 

User namespaces in recent kernels will probably not be usable for
containers.  Eric is heavily developing them right now, and hopefully
in the next 6-12 months they'll be fully supported.

So if you can't run an older kernel, I guess I'd recommend running a
custom avahi package without the 3-task limit (and without using
user namespaces).

-serge

Quoting Matthijs Kooijman (matthijs at stdin.nl):
> Hi folks,
> 
> I'm trying to run the avahi daemon in my containers, but I'm running
> into this error:
> 
>     fork() failed: Resource temporarily unavailable
> 
> Avahi starts fine in the first container, but starting it in any
> subsequent starting attempts result in the above error.
> 
> This issue was raised before on lxc-users mailing list [1], where Serge
> E. Hallyn said [2]:
> 
> > Hmm, you'll need to unshare the user namespace.  Try adding
> > CLONE_NEWUSER to the list assigned to clone_flags at
> > lxc/src/lxc/start.c line 353.
> 
> [1]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00219.html
> [2]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00220.html
> 
> I've been running with this on change on top of 0.7 for a while without
> problems. I just upgraded to 0.8.0~rc1 and ran into this problem again:
> Apparently this change did not make it into the git repository yet.
> 
> Is this intentional, or was this just an oversight? I can imagine
> Serge's suggestion to be a crude fix that should not become the default,
> but my lxc-fu is not big enough to really tell :-)
> 
> I also tried to add this change to 0.8.0-rc2, but ran into a new
> problem. Running lxc-start with the patch below now says:
> 
>     lxc-start: Operation not permitted - failed to remove CAP_SYS_BOOT capability
> 
> Perhaps unsharing the user namespace removes permission to remove
> CAP_SYS_BOOT?
> 
> In any case, I'd like to have some way to be able to run avahi in my
> containers, without having to locally patch my lxc binaries... Is there
> any path forward?
> 
> Here's the patch against 0.8.0~rc2 I tried:
> 
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -538,7 +538,7 @@ int lxc_spawn(struct lxc_handler *handler)
>         if (lxc_sync_init(handler))
>                 return -1;
>  
> -       clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
> +       clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
>         if (!lxc_list_empty(&handler->conf->network)) {
>  
>                 clone_flags |= CLONE_NEWNET;
> 
> 
> Gr.
> 
> Matthijs
> 



> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

More information about the lxc-devel mailing list