Have you tried setting linux capabilities, like NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the permissions of paths? I had to relocate the run dir with things like these
&& mkdir /var/dovecot \
&& mkdir /var/lib/dovecot \
&& (umask 027 ; mkdir /var/dovecot/login) \
&& (umask 022 ; mkdir /var/dovecot/empty) \
&& (umask 027 ; mkdir /var/dovecot/token-login)
-----Original Message----- From: cesco [mailto:cesco@esiliati.org] Sent: 30 December 2019 18:32 To: dovecot@dovecot.org Subject: dovecot cannot drop privileges inside singularity container
Hi all
I'm facing an issue while running dovecot inside a singularity (https://sylabs.io/singularity/) container
dovecot version is 2.3.4.1 (configuration below) running on debian buster, inside a container made with singularity version 3.4.2
unfortunately, when I try to start dovecot, it gives: Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 17:23:38 testnode dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs
the same happens on singularity containers based on debian bullseye or alpine linux 3.9.2
many thanks! nzasch
Singularity test.sif:~> doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve pop3 submission" ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd }