Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted

js at faudin.de js at faudin.de
Fri Feb 5 00:05:30 EET 2021 

Found the reason. As always permission issues are permission issues.
In this case, I had dovecot run in a docker container as uid:vmail, gid:root in order to prepare that for an openShift port (which seems to require the gid 0).
But, RESTRICT_ACCESS_FLAG_ALLOW_ROOT seems to force the aggregator run as root when gid=0. But, getting root is not possible in this docker installation.
After running dovecot as vmail:vmail (1001:1001), the replication started.

It will be interesting to see the kubernetes/openshift implications. 
Best wishes!

3. Februar 2021 13:45, "Jörg Faudin Schulz" <js at faudin.de> schrieb:

> I'm trying to set up dsync replication.
> 
> This seems to work partial - complete replica does work (delete the
> mailboxes on target, and they'll get filled again).
> 
> But, changes don't seem to get populated on the replica server; I get
> the msg
> 
> Feb 03 13:27:19 aggregator: Fatal:
> chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
> 
> dovecot conf:
> 
> # Pigeonhole version 0.5.13 (cdd19fe)
> # OS: Linux 4.4.0-193-generic x86_64 
> # Hostname: imap.faudin.de
> auth_mechanisms = plain login
> default_internal_group = root
> default_internal_user = vmail
> default_login_user = vmail
> doveadm_password = # hidden, use -P to show it
> doveadm_port = 2443
> first_valid_gid = 0
> imapc_features = rfc822.size fetch-headers
> imapc_port = 1143
> imapc_ssl = starttls
> imapc_ssl_verify = no
> imapc_user = %u
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> log_path = /dev/stderr
> mail_plugins = " notify replication"
> mail_prefetch_count = 20
> mail_privileged_group = root
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress
> comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart extracttext
> namespace inbox {
> inbox = yes
> location = 
> mailbox Drafts {
> auto = create
> special_use = \Drafts
> }
> mailbox Junk {
> auto = create
> special_use = \Junk
> }
> mailbox Sent {
> auto = create
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> auto = create
> special_use = \Sent
> }
> mailbox Trash {
> auto = create
> special_use = \Trash
> }
> prefix = 
> }
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> plugin {
> mail_replica = tcp:m.datilo.de:2443
> postmaster = isomne valid address
> replication_sync_timeout = 2
> sieve = file:/var/vmail/sieve/scripts/%u/sieve;active=/var/vmail/sieve/scripts/%u/.dovecot.sieve
> sieve_after = /etc/dovecot/sieve/sieve-after
> sieve_before = /etc/dovecot/sieve/sieve-before
> sieve_default = /etc/dovecot/sieve/default.sieve
> sieve_dir = /var/vmail/sieve/scripts/%u
> sieve_global_dir = /var/vmail/sieve
> }
> protocols = imap lmtp sieve
> service aggregator {
> unix_listener replication-notify {
> group = root
> mode = 0666
> user = vmail
> }
> }
> service anvil {
> chroot = 
> }
> service auth {
> chroot = 
> unix_listener auth-client {
> mode = 0660
> user = vmail
> }
> }
> service config {
> unix_listener config {
> group = root
> user = vmail
> }
> }
> service doveadm {
> group = root
> inet_listener {
> port = 2443
> }
> user = vmail
> }
> service imap-login {
> chroot = 
> inet_listener imap {
> port = 1143
> }
> inet_listener imaps {
> port = 1993
> ssl = yes
> }
> }
> service lmtp {
> chroot = 
> inet_listener lmtp {
> port = 2525
> }
> }
> service managesieve-login {
> chroot = 
> inet_listener sieve {
> port = 4190
> }
> }
> service replicator {
> process_min_avail = 1
> unix_listener replicator-doveadm {
> group = root
> mode = 0600
> user = vmail
> }
> }
> ssl = required
> ssl_cert = </run/secrets/letsencrypt-fullchain
> ssl_cipher_list =
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH:!SSLv2:
> TLS1.0
> ssl_client_ca_file = /var/run/secrets/letsencrypt-fullchain
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> submission_host = exim-int-mailout:1587
> userdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> protocol lmtp {
> mail_plugins = " notify replication sieve"
> }
> protocol lda {
> mail_plugins = " notify replication sieve"
> }

More information about the dovecot mailing list