I can't get bind-mounting to work.
But there is another solution:
1. On the host, pulseaudio needs to load the modules esound-protocol-tcp and (or?) native-protocol-tcp and specify the IP address or auth-anonymous=1. I added this to default.pa.
2. On the client, set PULSE_SERVER=xxx.xxx.xxx.xxx:4713, where xxx.xxx.xxx.xxx is the IP address of the host. You can add this to the configuration file too, by the way. I think the directive is 'default-server = ...
3. On the host, make sure hosts.allow contains 'ALL: yyy.yyy.yyy.yyy
', where yyy.yyy.yyy.yyy is the IP address of the LXC container. (Otherwise it will say "connection refused by tcpwrap".)
4. The firewall on the host needs to allow the incoming connection. Shorewall does not do this by default if you used the templates, so you have to add an exception in the rules file: 'ACCEPT net:<ip of client> $FW
'; or however your firewall is configured.
Then the client (LXC) will send audio via the network to the host's pulseaudio server.
However, because the pulseaudio server keeps crashing all the time (and the host will not restart it when the client sends a request), I wrote a script that restarts it whenever it dies:
pulseaudio > /dev/null 2> /dev/null
Yeah, I know... but it works.
(I added a counter to that script, by the way, and it crashes / terminates about 30 times per hour for some reason that I haven't figured out yet. It just says 'terminated' when I run pulseaudio with '-vv
Oh, I nearly forgot: when you start the pulseaudio server on the host, a cookie file is created somewhere (~/.config/pulse/cookie, ~/.pulse/cookie or ~/.pulse_cookie). You must copy this cookie file to the user's home directory in the LXC container so that the client and the host have the same cookie. The client's home directory is /var/lib/lxc/<container>/rootfs/home/<user>/ -- copy as root and chown it.
Also, I added the users to the following groups, but some of them may not be needed: audio, pulse, pulse-access.