Hi,
I am setting up a system that enforces cgroup restrictions when a user logs in via SSH, and for all the services that are run by a particular user.
I am also running dovecot to give users IMAP/POP access to their mailboxes. However, to be part of a cgroup, PIDs must be explicitly added to the cgroup tasks file. So for now, all my processes are run with resource restrictions, except for Dovecot processes.
It would be really cool if dovecots child/worker processes could be added the a cgroup in addition to the usual setuid/chroot protections that already exists. Adding a process to a cgroup is a matter of writing the PID to the correct cgroup tasks file.
If this were implemented as an extra field in userdb, it could be very powerful, and allow for all kinds of resource management/accounting of dovecot processes.
This would obviously not be cross-platform, since cgroups are a feature of the Linux kernel. Would that be a problem?
Is support for cgroups something that could be considered for dovecot at all? Are there other ways to put dovecot processes in cgroups?
I do not really have a patch or a plan for how everything would work out in detail. If this would be useful for dovecot, I would be happy to start hacking on a patch.
Cheers Andreas