Control: tags -1 + moreinfo
On Tue, 09 Oct 2018 at 09:55:04 +0200, Harald Dunkel wrote:
> Apparently installing libnss-mdns on Stretch in a LXC container fails with
> a catch22:
Sorry, I don't understand why you say "a catch-22". Is there a
reason why the absence of nss-mdns is preventing you from installing
avahi-daemon? From your logs, it looks to me as though the causality
all goes one way: libnss-mdns depends on avahi-daemon, and installing
avahi-daemon fails, so installing libnss-mdns also fails.
The failure to start avahi-daemon looks like #856311, which is
fixed in testing/unstable but not stretch. The root cause was that
avahi-daemon tries to lock down its environment to make it harder for
bugs (or security vulnerabilities) in avahi-daemon to cause denial of
service for the rest of the system; but it does this by reducing its
"processes per uid" rlimit, and if the same uid is already in use for
some other purpose on the host system or in another container, that
breaks avahi-daemon's assumption that its private system uid is in fact
private. In testing/unstable, the default avahi-daemon configuration
was changed to not apply special rlimits as a workaround for that.
If you are able to configure lxc to use different uid ranges for the
host system and for each container, that would avoid this bug, and also
protect other containers and your host system better.
Leaving this assigned to libnss-mdns for now because your mention of a
catch-22 makes me wonder whether there's something I'm missing.
Thanks,
smcv
