diff -Nru avahi-0.6.32/debian/changelog avahi-0.6.32/debian/changelog --- avahi-0.6.32/debian/changelog 2016-07-04 09:28:53.000000000 -0400 +++ avahi-0.6.32/debian/changelog 2017-05-09 13:53:37.000000000 -0300 @@ -1,3 +1,13 @@ +avahi (0.6.32-1ubuntu2) artful; urgency=medium + + * d/p/0002-Remove-default-rlimit-nproc-3.patch, + 0003-Remove-default-rlimits-from-avahi-daemon.conf.patch: Patches from + upstream git to remove all overly restrictive default rlimit restrictions + in avahi-daemon.conf which can cause avahi to crash out of memory or fail + to start in some situations (Closes: #1638345, #1661869) + + -- Trent Lloyd Tue, 09 May 2017 13:53:37 -0300 + avahi (0.6.32-1ubuntu1) yakkety; urgency=medium * Merge from Debian unstable, remaining changes: diff -Nru avahi-0.6.32/debian/patches/0002-Remove-default-rlimit-nproc-3.patch avahi-0.6.32/debian/patches/0002-Remove-default-rlimit-nproc-3.patch --- avahi-0.6.32/debian/patches/0002-Remove-default-rlimit-nproc-3.patch 1969-12-31 21:00:00.000000000 -0300 +++ avahi-0.6.32/debian/patches/0002-Remove-default-rlimit-nproc-3.patch 2017-05-09 13:49:04.000000000 -0300 @@ -0,0 +1,70 @@ +From 537371c786479f44882ece3d905a0e5ccda4f0a2 Mon Sep 17 00:00:00 2001 +From: Trent Lloyd +Date: Sun, 5 Feb 2017 17:53:26 +0800 +Subject: [PATCH 3/4] Remove default rlimit-nproc=3 + +By default, avahi-daemon.conf configures rlimit-nproc=3 to limit the +number of processes running to 3. In some cases, this would prevent +avahi from starting within a container. + +It is presumed this was an attempt to limit attack vectors or Denial of +Service potential of an exploited bug in Avahi. + +A problem arises (avahi fails to launch) when the same UID is re-used on +the system, such as containers without UID remapping also running avahi. +In particular, setting security.privileged=true on LXD containers causes +this behavior and avahi will fail to launch in containers because the +total number of processes under the avahi UID on the system exceeds 3. + +We comment out the default rlimit-nproc=3 setting from avahi-daemon.conf +and update the relevant manpage with this information. (Closes: #97) + +References: +https://bugs.launchpad.net/maas/+bug/1661869 +https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010791.html +https://github.com/lxc/lxc/issues/25 +--- + avahi-daemon/avahi-daemon.conf | 2 +- + man/avahi-daemon.conf.5.xml.in | 16 ++++++++++++---- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/avahi-daemon/avahi-daemon.conf b/avahi-daemon/avahi-daemon.conf +index 95166f8..b13730d 100644 +--- a/avahi-daemon/avahi-daemon.conf ++++ b/avahi-daemon/avahi-daemon.conf +@@ -65,4 +65,4 @@ rlimit-data=4194304 + rlimit-fsize=0 + rlimit-nofile=768 + rlimit-stack=4194304 +-rlimit-nproc=3 ++#rlimit-nproc=3 +diff --git a/man/avahi-daemon.conf.5.xml.in b/man/avahi-daemon.conf.5.xml.in +index 2d15017..312ced9 100644 +--- a/man/avahi-daemon.conf.5.xml.in ++++ b/man/avahi-daemon.conf.5.xml.in +@@ -360,10 +360,18 @@ +

rlimit-stack= Value in bytes for RLIMIT_STACK (maximum size of the process stack). Sensible values are heavily system dependent.

+ + +- +- ++ + + +
+-- +2.11.0 + diff -Nru avahi-0.6.32/debian/patches/0003-Remove-default-rlimits-from-avahi-daemon.conf.patch avahi-0.6.32/debian/patches/0003-Remove-default-rlimits-from-avahi-daemon.conf.patch --- avahi-0.6.32/debian/patches/0003-Remove-default-rlimits-from-avahi-daemon.conf.patch 1969-12-31 21:00:00.000000000 -0300 +++ avahi-0.6.32/debian/patches/0003-Remove-default-rlimits-from-avahi-daemon.conf.patch 2017-05-09 13:49:04.000000000 -0300 @@ -0,0 +1,47 @@ +From 71ace71504a97e8a15d202dc673939c7a92ea5e9 Mon Sep 17 00:00:00 2001 +From: Trent Lloyd +Date: Tue, 9 May 2017 13:42:54 -0300 +Subject: [PATCH 4/4] Remove default [rlimits] from avahi-daemon.conf + +A number of issues with the default restrictive ulimits have recently +arisen. Particularly the default data limit is being hit in some cases +and the process limit is being hit when multiple containers are in use +without UID mapping. + +We remove all default rlimits and leave it up to the distribution to +impose some limit with systemd if they really desire to do so, but are +not recommended at this stage. + +I also increase the example memory limits to double in case someone +wants to use them, as the existing limits are sometimes insufficient +(Closes: #113) + +References: +https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/1638345 +https://bugs.launchpad.net/maas/+bug/1661869 +--- + avahi-daemon/avahi-daemon.conf | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/avahi-daemon/avahi-daemon.conf b/avahi-daemon/avahi-daemon.conf +index b13730d..ff9a4c5 100644 +--- a/avahi-daemon/avahi-daemon.conf ++++ b/avahi-daemon/avahi-daemon.conf +@@ -60,9 +60,9 @@ publish-workstation=no + + [rlimits] + #rlimit-as= +-rlimit-core=0 +-rlimit-data=4194304 +-rlimit-fsize=0 +-rlimit-nofile=768 +-rlimit-stack=4194304 ++#rlimit-core=0 ++#rlimit-data=8388608 ++#rlimit-fsize=0 ++#rlimit-nofile=768 ++#rlimit-stack=8388608 + #rlimit-nproc=3 +-- +2.11.0 + diff -Nru avahi-0.6.32/debian/patches/series avahi-0.6.32/debian/patches/series --- avahi-0.6.32/debian/patches/series 2016-06-27 16:54:15.000000000 -0400 +++ avahi-0.6.32/debian/patches/series 2017-05-09 13:53:24.000000000 -0300 @@ -1 +1,3 @@ 0001-avahi-autoipd-fix-dhclient-hooks-to-check-for-avahi-.patch +0002-Remove-default-rlimit-nproc-3.patch +0003-Remove-default-rlimits-from-avahi-daemon.conf.patch