User namespaces in recent kernels will probably not be usable for containers. Eric is heavily developing them right now, and hopefully in the next 6-12 months they'll be fully supported.
So if you can't run an older kernel, I guess I'd recommend running a custom avahi package without the 3-task limit (and without using user namespaces). -serge Quoting Matthijs Kooijman (matth...@stdin.nl): > Hi folks, > > I'm trying to run the avahi daemon in my containers, but I'm running > into this error: > > fork() failed: Resource temporarily unavailable > > Avahi starts fine in the first container, but starting it in any > subsequent starting attempts result in the above error. > > This issue was raised before on lxc-users mailing list [1], where Serge > E. Hallyn said [2]: > > > Hmm, you'll need to unshare the user namespace. Try adding > > CLONE_NEWUSER to the list assigned to clone_flags at > > lxc/src/lxc/start.c line 353. > > [1]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00219.html > [2]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00220.html > > I've been running with this on change on top of 0.7 for a while without > problems. I just upgraded to 0.8.0~rc1 and ran into this problem again: > Apparently this change did not make it into the git repository yet. > > Is this intentional, or was this just an oversight? I can imagine > Serge's suggestion to be a crude fix that should not become the default, > but my lxc-fu is not big enough to really tell :-) > > I also tried to add this change to 0.8.0-rc2, but ran into a new > problem. Running lxc-start with the patch below now says: > > lxc-start: Operation not permitted - failed to remove CAP_SYS_BOOT > capability > > Perhaps unsharing the user namespace removes permission to remove > CAP_SYS_BOOT? > > In any case, I'd like to have some way to be able to run avahi in my > containers, without having to locally patch my lxc binaries... Is there > any path forward? > > Here's the patch against 0.8.0~rc2 I tried: > > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -538,7 +538,7 @@ int lxc_spawn(struct lxc_handler *handler) > if (lxc_sync_init(handler)) > return -1; > > - clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS; > + clone_flags = > CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER; > if (!lxc_list_empty(&handler->conf->network)) { > > clone_flags |= CLONE_NEWNET; > > > Gr. > > Matthijs > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
