[lxc-devel] "pre-start" hooks and avahi

Serge Hallyn serge.hallyn at ubuntu.com
Fri Jan 10 18:47:57 UTC 2014 

Avahi sets its own rlimit_nproc to be exactly the # tasks it will spawn
as its userid.  If the avahi user in the container is the same uid #
as something in use on the host, then there may already be running
tasks and so rlimit_nproc is enforced and avahi can't run.

If you use a user namespace this shouldn't be an issue (so long as
you don't share uid ranges between any containers).

Otherwise, you have to change the avahi code to check whether it is in a
container before setting rlimit_nproc.  There is a patch to work around
this in the ubuntu trusty package, at least, if you wnat an example of
how to do it.

-serge

Quoting Chris Glass (chris.glass at canonical.com):
> Hi all,
> 
> I'm currently hacking on a pre-start hook for the ubuntu and
> ubuntu-cloud templates that automatically makes ubuntu containers
> aware of squid-deb-proxy servers the host knows about.
> 
> For this, I assume the squid-deb-proxy-client package is installed on
> the host. If you're not familiar with this package: it's basically a
> custom squid config for deb files along with an avahi config to expose
> an _apt_proxy._tcp service pointing to the squid.
> I currently run a squid-deb-proxy in a container.
> 
> While running the avahi command on the host works fine (both as my
> user and as root), it fails when run from a pre-start script, and my
> knowledge of lxc is too limited to understand what could interfere
> with it.
> 
> The failure:
> Running "avahi-browse -kprt _apt_proxy._tcp" in a lxc.hook.pre-start
> hook fails with "Failed to create client object: Access denied". It
> succeeds when ran at a normal shell on the host.
> 
> A quick "whoami" in the same context yields "root", as expected, and
> switching to an unconfined apparmor profile does not change anything,
> so I suspect something more subtle is going on. How is the environment
> on "pre-start" hooks different?
> 
> Could somebody shed some light here?
> 
> Background:
> The reason for this is that I am a little frustrated to have to update
> my LXC container's apt proxy settings every time my squid-deb-proxy
> environment changes, and so this is an attempt at making this
> automatic. If you are curious and want to see it for yourself, have a
> look at [1], but please be aware that it's still work in progress.
> 
> Thanks a lot for your help,
> 
> - Chris
> 
> links:
> --------
> [1]: https://github.com/chrisglass/lxc/blob/make-lxc-squid-deb-proxy-aware/hooks/squid-deb-proxy-client
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list