[Dovecot] cgroup support

Timo Sirainen tss at iki.fi
Tue Feb 1 17:04:46 EET 2011


On 1.2.2011, at 9.44, Andreas Pelme wrote:

> On 31 jan 2011, at 15:07, Timo Sirainen wrote:
>> With v2.0 the imap and post-login processes are both created by the dovecot process. So no parent-child relationship between them.
> 
> Would it be possible to specify an alternative mail_executable that wraps the imap/pop processes?

Maybe.

> I.e. something like:
> 
> protocol imap { mail_executable = cgroup_wrapper.sh }
> 
> cgroup_wrapper.sh:
> #!/bin/sh
> echo $$ > /cgroup/foo/bar/tasks
> exec /usr/libexec/dovecot/imap $*
> 
> Is the privileges dropped before mail_executable is called, or is it done in the mail_executable itself?

If you have virtual users, you can do:

service imap {
  executable = cgroup_wrapper.sh
  user = vmail
  drop_priv_before_exec = yes
}

With system users you can't do that.


More information about the dovecot mailing list