acl_ignore_namespace & dovecot-acl-list files
Hi!
After updating to 2.3.15, I was hoping to be able to get rid of some of the work-around I had in place when configuring shared folders in cluster mode in 2.3.14. Unfortunately it seems that I still need one.
Running on CentOS7 with both a 'virtual' and 'shared' namespace, whenever I update the global vfile, I'm getting the following warning:
Error: open(/etc/dovecot/virtual/.temp.....8536.f1a78823779ee98d)
failed: Read-only file system
Error: dovecot-acl-list creation failed:
safe_mkstemp(/etc/dovecot/virtual/.temp.....8536.) failed: Read-only
file system
Error: unlink(/etc/dovecot/virtual/dovecot-acl-list) failed: Read-only
file system (in acl-backend-vfile-acllist.c:339)
I found it weird, as I'm using acl_ignore_namespace to ignore the
virtual filesystem, but still dovecot seems to be trying to create a
dovecot-acl-list file there. After digging into it and generating a
backtrace where that error message is triggered, I believe I've trace it
down to acl_lookup_dict_rebuild, which doesn't filter out "ignored"
namespaces. The attached patch seems to solve the problem for me, but I
must admit I didn't test it in depth so I'm not sure if I'm breaking
something else...
Let me know if I'm missing something, Thanks, Vincent
PS: Some details:
- Relevant configuration (let me know if I'm missing something):
mail_plugins = acl zlib virtual fts fts_solr
namespace Virtual {
prefix = Virtual/
separator = /
hidden = yes
list = no
subscriptions = no
location = virtual:/etc/dovecot/virtual:INDEX=~/virtual
}
namespace shared {
type = shared
prefix = shared/%%u/
list = children
subscriptions = no
location = imapc:~/shared/%%u
}
plugin {
# ACLs
acl = vfile:/etc/dovecot/dovecot-acl
acl_ignore_namespace = Virtual/
acl_ignore_namespace2 = shared/*
acl_shared_dict = proxy::acl
}
- Backtrace generated manually (adding
backtrace_get(&backtrace)& printing the result under thedovecot-acl-list creation failederror):
Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7ff99d364862]
-> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7ff99d36496e]
-> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb071) [0x7ff99ca9f071]
->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d)
[0x7ff99ca9f3ed]
->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_refresh+0x250)
[0x7ff99ca9f6b0]
->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_nonowner_iter_init+0x9)
[0x7ff99ca9f849]
->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_lookup_dict_rebuild+0x13e)
[0x7ff99caa179e]
-> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb245) [0x7ff99ca9f245]
->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d)
[0x7ff99ca9f3ed]
-> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xa9ad) [0x7ff99ca9e9ad]
-> /usr/lib64/dovecot/lib01_acl_plugin.so(+0x6e4c) [0x7ff99ca9ae4c]
->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_object_get_my_rights+0x75)
[0x7ff99ca9af35]
-> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xe44e) [0x7ff99caa244e]
-> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_exists+0x6e)
[0x7ff99d6845fe]
->
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_mailbox+0x226)
[0x7ff99d694ff6]
->
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_iter_init_namespaces+0x282)
[0x7ff99d6eecf2]
-> dovecot/imap [vbrillau XXXXX LIST](cmd_list_full+0x55b) [0x563f9bb004bb]
-> dovecot/imap [vbrillau XXXXX LIST](command_exec+0x64) [0x563f9bb0ab04]
-> dovecot/imap [vbrillau XXXXX LIST](+0x1d9e2) [0x563f9bb089e2]
-> dovecot/imap [vbrillau XXXXX LIST](+0x1da71) [0x563f9bb08a71]
-> dovecot/imap [vbrillau XXXXX LIST](client_handle_input+0x205)
[0x563f9bb08ef5]
-> dovecot/imap [vbrillau XXXXX LIST](client_input+0x79) [0x563f9bb094d9]
-> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x65)
[0x7ff99d38a425]
->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x12b)
[0x7ff99d38bdab]
-> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x59)
[0x7ff99d38a529]
-> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff99d38a768]
-> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13)
[0x7ff99d2f43c3]
-> dovecot/imap [vbrillau XXXXX LIST](main+0x342) [0x563f9bafa2f2]
-> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff99ced1555]
-> dovecot/imap [vbrillau XXXXX LIST](+0xf4f5) [0x563f9bafa4f5]
On 29/06/2021 12:09 Vincent Brillault vincent.brillault@cern.ch wrote:
Hi!
After updating to 2.3.15, I was hoping to be able to get rid of some of the work-around I had in place when configuring shared folders in cluster mode in 2.3.14. Unfortunately it seems that I still need one.
Running on CentOS7 with both a 'virtual' and 'shared' namespace, whenever I update the global vfile, I'm getting the following warning:
Error: open(/etc/dovecot/virtual/.temp.....8536.f1a78823779ee98d) failed: Read-only file system Error: dovecot-acl-list creation failed: safe_mkstemp(/etc/dovecot/virtual/.temp.....8536.) failed: Read-only file system Error: unlink(/etc/dovecot/virtual/dovecot-acl-list) failed: Read-only file system (in acl-backend-vfile-acllist.c:339)I found it weird, as I'm using acl_ignore_namespace to ignore the virtual filesystem, but still dovecot seems to be trying to create a dovecot-acl-list file there. After digging into it and generating a backtrace where that error message is triggered, I believe I've trace it down to
acl_lookup_dict_rebuild, which doesn't filter out "ignored" namespaces. The attached patch seems to solve the problem for me, but I must admit I didn't test it in depth so I'm not sure if I'm breaking something else...Let me know if I'm missing something,
Hi Vincent,
thank you very much for your mail and the patch. Sad to hear that 2.3.15 wasn't able to get rid of your work-arounds. I think your fix is valid and needed. It seems that checking ignore_acls was simply forgotten to be added there.
Markus
Thanks, Vincent
PS: Some details:
- Relevant configuration (let me know if I'm missing something):
mail_plugins = acl zlib virtual fts fts_solr namespace Virtual { prefix = Virtual/ separator = / hidden = yes list = no subscriptions = no location = virtual:/etc/dovecot/virtual:INDEX=~/virtual } namespace shared { type = shared prefix = shared/%%u/ list = children subscriptions = no location = imapc:~/shared/%%u } plugin { # ACLs acl = vfile:/etc/dovecot/dovecot-acl acl_ignore_namespace = Virtual/ acl_ignore_namespace2 = shared/* acl_shared_dict = proxy::acl }
- Backtrace generated manually (adding
backtrace_get(&backtrace)& printing the result under thedovecot-acl-list creation failederror):Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7ff99d364862] -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7ff99d36496e] -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb071) [0x7ff99ca9f071] -> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d) [0x7ff99ca9f3ed] -> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_refresh+0x250) [0x7ff99ca9f6b0] -> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_nonowner_iter_init+0x9) [0x7ff99ca9f849] -> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_lookup_dict_rebuild+0x13e) [0x7ff99caa179e] -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb245) [0x7ff99ca9f245] -> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d) [0x7ff99ca9f3ed] -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xa9ad) [0x7ff99ca9e9ad] -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0x6e4c) [0x7ff99ca9ae4c] -> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_object_get_my_rights+0x75) [0x7ff99ca9af35] -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xe44e) [0x7ff99caa244e] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_exists+0x6e) [0x7ff99d6845fe] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_mailbox+0x226) [0x7ff99d694ff6] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_iter_init_namespaces+0x282) [0x7ff99d6eecf2] -> dovecot/imap [vbrillau XXXXX LIST](cmd_list_full+0x55b) [0x563f9bb004bb] -> dovecot/imap [vbrillau XXXXX LIST](command_exec+0x64) [0x563f9bb0ab04] -> dovecot/imap [vbrillau XXXXX LIST](+0x1d9e2) [0x563f9bb089e2] -> dovecot/imap [vbrillau XXXXX LIST](+0x1da71) [0x563f9bb08a71] -> dovecot/imap [vbrillau XXXXX LIST](client_handle_input+0x205) [0x563f9bb08ef5] -> dovecot/imap [vbrillau XXXXX LIST](client_input+0x79) [0x563f9bb094d9] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x65) [0x7ff99d38a425] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x12b) [0x7ff99d38bdab] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x59) [0x7ff99d38a529] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff99d38a768] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7ff99d2f43c3] -> dovecot/imap [vbrillau XXXXX LIST](main+0x342) [0x563f9bafa2f2] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff99ced1555] -> dovecot/imap [vbrillau XXXXX LIST](+0xf4f5) [0x563f9bafa4f5]
participants (2)
-
Markus Valentin
-
Vincent Brillault