On Wed, 16 Mar 2016 at 14:11:12 +0100, Harald Dunkel wrote: > dbus[191]: [system] Connection has not authenticated soon enough, closing it > (auth_timeout=30000ms, elapsed: 30000ms)
That's the system bus (per machine, VM or container). > Problem is: auth_timeout is configured as 240 secs: > > # grep -r auth_timeout /etc/dbus-1 > /etc/dbus-1/session.conf: <limit name="auth_timeout">240000</limit> That's the session bus (per user login session), which is different. > So I wonder where the 30secs come from? It's the hard-coded default in dbus-daemon. The hard-coded defaults are intended to be sensible, conservative values; the system bus mostly doesn't override them, while the session bus (which is not a security boundary on mainstream systems) overrides them to something really large. > How can I increase the > timeout to enable booting a handful of LXC containers in parallel? Create /etc/dbus-1/system-local.conf containing: <busconfig> <limit name="auth_timeout">123456</limit> </busconfig> The value is in milliseconds, adjust as required. How many LXC containers are you booting, on what hardware, and what service is connecting to the system bus and getting rejected? It would be better if you could avoid having to raise this limit too high. The limit was added to resolve CVE-2014-3639, a denial of service vulnerability: with a high or infinite authentication timeout, a uid (let's say alice) can prevent another uid (let's say bob) from connecting to the system bus, by opening enough connections to fill all the unauthenticated connection slots (by default 64 connections) and not making any attempt to authenticate themselves. You might be able to mitigate this by increasing the max_incomplete_connections limit. By default the system dbus-daemon will support up to 64 incomplete (unauthenticated) connections, up to 256 authenticated connections per uid (max_connections_per_user), and up to 2048 authenticated connections in total (max_completed_connections). In general we can't tell whose a connection is until it has authenticated, but on Linux with the default system bus configuration we can, so in newer upstream versions we might be able to mitigate this sort of thing by making uid 0 immune to these limits. Would that solve this for you? S