[Lxc-users] setrlimit(3) and containers

Serge E. Hallyn serue at us.ibm.com
Thu Apr 1 14:47:33 UTC 2010


Quoting Mikhail Gusarov (dottedmag at dottedmag.net):
> Hello.
> 
> I have tried to run two containers with avahi-daemon in each. First
> avahi-daemon starts fine, while second fails with
> 
> # /usr/sbin/avahi-daemon 
> Found user 'avahi' (UID 103) and group 'avahi' (GID 105).
> Successfully dropped root privileges.
> chroot.c: fork() failed: Resource temporarily unavailable
> failed to start chroot() helper daemon.
> cf-slave1:~# 
> 
> After some thinking and strace'ing I figured out that the following is
> the cause:
> 
> cf-slave1:~# strace /usr/sbin/avahi-daemon
> ...
> setresuid32(103, 103, 103)              = 0
> ...
> setrlimit(RLIMIT_NPROC, {rlim_cur=3, rlim_max=3}) = 0
> ...
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb761d908) = -1 EAGAIN (Resource temporarily unavailable)
> ...
> #
> 
> Here process drops root privileges, setuids to uid=103 and limits itself
> to 3 processes with this uid. Clone fails due to fact there are two
> processes with uid=103 running in another container.
> 
> Is it a known limitation, or maybe this is already handled in newer
> kernels? (I use 2.6.32)

Hmm, you'll need to unshare the user namespace.  Try adding
CLONE_NEWUSER to the list assigned to clone_flags at
lxc/src/lxc/start.c line 353.

-serge




More information about the lxc-users mailing list