Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
I'm trying to set up dsync replication.
This seems to work partial - complete replica does work (delete the mailboxes on target, and they'll get filled again).
But, changes don't seem to get populated on the replica server; I get the msg
Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
dovecot conf:
# Pigeonhole version 0.5.13 (cdd19fe)
# OS: Linux 4.4.0-193-generic x86_64
# Hostname: imap.faudin.de
auth_mechanisms = plain login
default_internal_group = root
default_internal_user = vmail
default_login_user = vmail
doveadm_password = # hidden, use -P to show it
doveadm_port = 2443
first_valid_gid = 0
imapc_features = rfc822.size fetch-headers
imapc_port = 1143
imapc_ssl = starttls
imapc_ssl_verify = no
imapc_user = %u
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /dev/stderr
mail_plugins = " notify replication"
mail_prefetch_count = 20
mail_privileged_group = root
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = create
special_use = \Drafts
}
mailbox Junk {
auto = create
special_use = \Junk
}
mailbox Sent {
auto = create
special_use = \Sent
}
mailbox "Sent Messages" {
auto = create
special_use = \Sent
}
mailbox Trash {
auto = create
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
mail_replica = tcp:m.datilo.de:2443
postmaster = isomne valid address
replication_sync_timeout = 2
sieve = file:/var/vmail/sieve/scripts/%u/sieve;active=/var/vmail/sieve/scripts/%u/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/sieve-after
sieve_before = /etc/dovecot/sieve/sieve-before
sieve_default = /etc/dovecot/sieve/default.sieve
sieve_dir = /var/vmail/sieve/scripts/%u
sieve_global_dir = /var/vmail/sieve
}
protocols = imap lmtp sieve
service aggregator {
unix_listener replication-notify {
group = root
mode = 0666
user = vmail
}
}
service anvil {
chroot =
}
service auth {
chroot =
unix_listener auth-client {
mode = 0660
user = vmail
}
}
service config {
unix_listener config {
group = root
user = vmail
}
}
service doveadm {
group = root
inet_listener {
port = 2443
}
user = vmail
}
service imap-login {
chroot =
inet_listener imap {
port = 1143
}
inet_listener imaps {
port = 1993
ssl = yes
}
}
service lmtp {
chroot =
inet_listener lmtp {
port = 2525
}
}
service managesieve-login {
chroot =
inet_listener sieve {
port = 4190
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
group = root
mode = 0600
user = vmail
}
}
ssl = required
ssl_cert = </run/secrets/letsencrypt-fullchain
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH:!SSLv2:!TLS1.0
ssl_client_ca_file = /var/run/secrets/letsencrypt-fullchain
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
submission_host = exim-int-mailout:1587
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol lmtp {
mail_plugins = " notify replication sieve"
}
protocol lda {
mail_plugins = " notify replication sieve"
}
Whats your dsync command? Sounds like you use 'backup' instead off 'mirror'
Mit freundlichen Grüßen Yours sincerely Pascal Rudolf
-----Ursprüngliche Nachricht----- Von: dovecot <dovecot-bounces@dovecot.org> Im Auftrag von Jörg Faudin Schulz Gesendet: Mittwoch, 3. Februar 2021 13:44 An: dovecot@dovecot.org Betreff: Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
I'm trying to set up dsync replication.
This seems to work partial - complete replica does work (delete the mailboxes on target, and they'll get filled again).
But, changes don't seem to get populated on the replica server; I get the msg
Feb 03 13:27:19 aggregator: Fatal:chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
dovecot conf:
# Pigeonhole version 0.5.13 (cdd19fe) # OS: Linux 4.4.0-193-generic x86_64 # Hostname: imap.faudin.de auth_mechanisms = plain login default_internal_group = root default_internal_user = vmail default_login_user = vmail doveadm_password = # hidden, use -P to show it doveadm_port = 2443 first_valid_gid = 0 imapc_features = rfc822.size fetch-headers imapc_port = 1143 imapc_ssl = starttls imapc_ssl_verify = no imapc_user = %u lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /dev/stderr mail_plugins = " notify replication" mail_prefetch_count = 20 mail_privileged_group = root managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { auto = create special_use = \Drafts } mailbox Junk { auto = create special_use = \Junk } mailbox Sent { auto = create special_use = \Sent } mailbox "Sent Messages" { auto = create special_use = \Sent } mailbox Trash { auto = create special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { mail_replica = tcp:m.datilo.de:2443 postmaster = isomne valid address replication_sync_timeout = 2 sieve = file:/var/vmail/sieve/scripts/%u/sieve;active=/var/vmail/sieve/scripts/%u/.dovecot.sieve sieve_after = /etc/dovecot/sieve/sieve-after sieve_before = /etc/dovecot/sieve/sieve-before sieve_default = /etc/dovecot/sieve/default.sieve sieve_dir = /var/vmail/sieve/scripts/%u sieve_global_dir = /var/vmail/sieve } protocols = imap lmtp sieve service aggregator { unix_listener replication-notify { group = root mode = 0666 user = vmail } } service anvil { chroot = } service auth { chroot = unix_listener auth-client { mode = 0660 user = vmail } } service config { unix_listener config { group = root user = vmail } } service doveadm { group = root inet_listener { port = 2443 } user = vmail } service imap-login { chroot = inet_listener imap { port = 1143 } inet_listener imaps { port = 1993 ssl = yes } } service lmtp { chroot = inet_listener lmtp { port = 2525 } } service managesieve-login { chroot = inet_listener sieve { port = 4190 } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { group = root mode = 0600 user = vmail } } ssl = required ssl_cert = </run/secrets/letsencrypt-fullchain ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH:!SSLv2:!TLS1.0 ssl_client_ca_file = /var/run/secrets/letsencrypt-fullchain ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_host = exim-int-mailout:1587 userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = " notify replication sieve" } protocol lda { mail_plugins = " notify replication sieve" }
Found the reason. As always permission issues are permission issues. In this case, I had dovecot run in a docker container as uid:vmail, gid:root in order to prepare that for an openShift port (which seems to require the gid 0). But, RESTRICT_ACCESS_FLAG_ALLOW_ROOT seems to force the aggregator run as root when gid=0. But, getting root is not possible in this docker installation. After running dovecot as vmail:vmail (1001:1001), the replication started.
It will be interesting to see the kubernetes/openshift implications. Best wishes!
- Februar 2021 13:45, "Jörg Faudin Schulz" <js@faudin.de> schrieb:
I'm trying to set up dsync replication.
This seems to work partial - complete replica does work (delete the mailboxes on target, and they'll get filled again).
But, changes don't seem to get populated on the replica server; I get the msg
Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
dovecot conf:
# Pigeonhole version 0.5.13 (cdd19fe) # OS: Linux 4.4.0-193-generic x86_64 # Hostname: imap.faudin.de auth_mechanisms = plain login default_internal_group = root default_internal_user = vmail default_login_user = vmail doveadm_password = # hidden, use -P to show it doveadm_port = 2443 first_valid_gid = 0 imapc_features = rfc822.size fetch-headers imapc_port = 1143 imapc_ssl = starttls imapc_ssl_verify = no imapc_user = %u lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /dev/stderr mail_plugins = " notify replication" mail_prefetch_count = 20 mail_privileged_group = root managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { auto = create special_use = \Drafts } mailbox Junk { auto = create special_use = \Junk } mailbox Sent { auto = create special_use = \Sent } mailbox "Sent Messages" { auto = create special_use = \Sent } mailbox Trash { auto = create special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { mail_replica = tcp:m.datilo.de:2443 postmaster = isomne valid address replication_sync_timeout = 2 sieve = file:/var/vmail/sieve/scripts/%u/sieve;active=/var/vmail/sieve/scripts/%u/.dovecot.sieve sieve_after = /etc/dovecot/sieve/sieve-after sieve_before = /etc/dovecot/sieve/sieve-before sieve_default = /etc/dovecot/sieve/default.sieve sieve_dir = /var/vmail/sieve/scripts/%u sieve_global_dir = /var/vmail/sieve } protocols = imap lmtp sieve service aggregator { unix_listener replication-notify { group = root mode = 0666 user = vmail } } service anvil { chroot = } service auth { chroot = unix_listener auth-client { mode = 0660 user = vmail } } service config { unix_listener config { group = root user = vmail } } service doveadm { group = root inet_listener { port = 2443 } user = vmail } service imap-login { chroot = inet_listener imap { port = 1143 } inet_listener imaps { port = 1993 ssl = yes } } service lmtp { chroot = inet_listener lmtp { port = 2525 } } service managesieve-login { chroot = inet_listener sieve { port = 4190 } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { group = root mode = 0600 user = vmail } } ssl = required ssl_cert = </run/secrets/letsencrypt-fullchain ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH:!SSLv2: TLS1.0 ssl_client_ca_file = /var/run/secrets/letsencrypt-fullchain ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_host = exim-int-mailout:1587 userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = " notify replication sieve" } protocol lda { mail_plugins = " notify replication sieve" }
Uh, no. RESTRICT_ACCESS_FLAG_ALLOW_ROOT *allows* running as root, it does not *force* running as root.
The problem here is that dovecot thinks it's able to do chroot when gid = 0 and thus attempts to chroot.
To avoid this, you could do
service aggregator { chroot = }
so aggregator process won't try to chroot itself.
Aki
On 05/02/2021 00:05 js@faudin.de wrote:
Found the reason. As always permission issues are permission issues. In this case, I had dovecot run in a docker container as uid:vmail, gid:root in order to prepare that for an openShift port (which seems to require the gid 0). But, RESTRICT_ACCESS_FLAG_ALLOW_ROOT seems to force the aggregator run as root when gid=0. But, getting root is not possible in this docker installation. After running dovecot as vmail:vmail (1001:1001), the replication started.
It will be interesting to see the kubernetes/openshift implications. Best wishes!
- Februar 2021 13:45, "Jörg Faudin Schulz" <js@faudin.de> schrieb:
I'm trying to set up dsync replication.
This seems to work partial - complete replica does work (delete the mailboxes on target, and they'll get filled again).
But, changes don't seem to get populated on the replica server; I get the msg
Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
dovecot conf:
# Pigeonhole version 0.5.13 (cdd19fe) # OS: Linux 4.4.0-193-generic x86_64 # Hostname: imap.faudin.de auth_mechanisms = plain login default_internal_group = root default_internal_user = vmail default_login_user = vmail doveadm_password = # hidden, use -P to show it doveadm_port = 2443 first_valid_gid = 0 imapc_features = rfc822.size fetch-headers imapc_port = 1143 imapc_ssl = starttls imapc_ssl_verify = no imapc_user = %u lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /dev/stderr mail_plugins = " notify replication" mail_prefetch_count = 20 mail_privileged_group = root managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { auto = create special_use = \Drafts } mailbox Junk { auto = create special_use = \Junk } mailbox Sent { auto = create special_use = \Sent } mailbox "Sent Messages" { auto = create special_use = \Sent } mailbox Trash { auto = create special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { mail_replica = tcp:m.datilo.de:2443 postmaster = isomne valid address replication_sync_timeout = 2 sieve = file:/var/vmail/sieve/scripts/%u/sieve;active=/var/vmail/sieve/scripts/%u/.dovecot.sieve sieve_after = /etc/dovecot/sieve/sieve-after sieve_before = /etc/dovecot/sieve/sieve-before sieve_default = /etc/dovecot/sieve/default.sieve sieve_dir = /var/vmail/sieve/scripts/%u sieve_global_dir = /var/vmail/sieve } protocols = imap lmtp sieve service aggregator { unix_listener replication-notify { group = root mode = 0666 user = vmail } } service anvil { chroot = } service auth { chroot = unix_listener auth-client { mode = 0660 user = vmail } } service config { unix_listener config { group = root user = vmail } } service doveadm { group = root inet_listener { port = 2443 } user = vmail } service imap-login { chroot = inet_listener imap { port = 1143 } inet_listener imaps { port = 1993 ssl = yes } } service lmtp { chroot = inet_listener lmtp { port = 2525 } } service managesieve-login { chroot = inet_listener sieve { port = 4190 } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { group = root mode = 0600 user = vmail } } ssl = required ssl_cert = </run/secrets/letsencrypt-fullchain ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH:!SSLv2: TLS1.0 ssl_client_ca_file = /var/run/secrets/letsencrypt-fullchain ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_host = exim-int-mailout:1587 userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = " notify replication sieve" } protocol lda { mail_plugins = " notify replication sieve" }
participants (4)
-
Aki Tuomi
-
js@faudin.de
-
Jörg Faudin Schulz
-
rudolf@padaru.de