[Lxc-users] setrlimit(3) and containers
Serge E. Hallyn
serue at us.ibm.com
Thu Apr 1 14:47:33 UTC 2010
Quoting Mikhail Gusarov (dottedmag at dottedmag.net):
> Hello.
>
> I have tried to run two containers with avahi-daemon in each. First
> avahi-daemon starts fine, while second fails with
>
> # /usr/sbin/avahi-daemon
> Found user 'avahi' (UID 103) and group 'avahi' (GID 105).
> Successfully dropped root privileges.
> chroot.c: fork() failed: Resource temporarily unavailable
> failed to start chroot() helper daemon.
> cf-slave1:~#
>
> After some thinking and strace'ing I figured out that the following is
> the cause:
>
> cf-slave1:~# strace /usr/sbin/avahi-daemon
> ...
> setresuid32(103, 103, 103) = 0
> ...
> setrlimit(RLIMIT_NPROC, {rlim_cur=3, rlim_max=3}) = 0
> ...
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb761d908) = -1 EAGAIN (Resource temporarily unavailable)
> ...
> #
>
> Here process drops root privileges, setuids to uid=103 and limits itself
> to 3 processes with this uid. Clone fails due to fact there are two
> processes with uid=103 running in another container.
>
> Is it a known limitation, or maybe this is already handled in newer
> kernels? (I use 2.6.32)
Hmm, you'll need to unshare the user namespace. Try adding
CLONE_NEWUSER to the list assigned to clone_flags at
lxc/src/lxc/start.c line 353.
-serge
More information about the lxc-users
mailing list