[avahi] Avahi daemon doesn't work inside an unprivileged container
lathiat at bur.st
Tue Mar 31 20:25:00 PDT 2015
Can you tell me what value of cred->uid you are actually getting inside these containers? I wonder if somehow you are getting the unmapped value.
I assume that inside the container running “Id” shows 0, but outside the container you see it remapped to another id?
If you can confirm the lxc version, and possibly supply a config (or as much info as possible) I can reproduce with, that would be great.
> On 6 Feb 2015, at 4:23 pm, Yann Soubeyrand <ysoubeyrand at adeneo-embedded.com> wrote:
> Avahi daemon doesn't work inside an unprivileged container, more
> precisely inside a container where the uid 0 is mapped to an uid other
> than 0.
> I identified the line where the problem occurs in the Avahi sources:
> I don't know if it's a bug of Avahi or if it's a bug inside the kernel.
> My guess is that it's the latter one but I'm not sure. I think that the
> kernel passes the credentials mapped to zero when it's the sender of the
> message whereas it should pass all zero credentials in this case. But I
> didn't read the code of netlink and it's purely speculation. Also, I
> wonder if it could not introduce security flaws doing so.
> Feel free to ask me if you need further information or if you need me to
> be clearer in my explanations ;-)
> I'm using Debian Sid as my host system (I tried 3.16 and 3.18 kernels)
> and Ubuntu Vivid inside my container.
> Yann Soubeyrand
> avahi mailing list
> avahi at lists.freedesktop.org
More information about the avahi