[Dovecot] questions about process_limit
Hello all!
# dovecot --version 2.1.17
Sometimes I have this in the logfile:
May 11 16:55:52 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped May 11 17:35:03 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped May 11 17:36:27 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped
I then put this in the dovecot.conf
service imap-login { service_count = 1 process_min_avail = 50 #process_limit = $default_process_limit process_limit = 10000 vsz_limit = 64M }
and get this:
May 11 18:19:36 master: Info: Dovecot v2.1.17 starting up (core dumps disabled) May 11 18:19:36 config: Warning: service auth { client_limit=1000 } is lower than required under max. load (10300) May 11 18:19:36 config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (10203)
Puting this in:
service auth { client_limit = 10300 unix_listener auth-userdb { mode = 0666 user = vmail group = vmail } }
service anvil { client_limit = 10300 }
I get this:
May 11 18:27:37 delta.bitcorner.eu dovecot[3989]: Warning: fd limit (ulimit -n) is lower than required under max. load (1024 < 10300), because of service auth { client_limit }
I have also seen this today:
May 11 13:14:05 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) May 11 13:14:05 auth: Error: read(anvil-auth-penalty) failed: EOF May 11 13:14:05 auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
What is the best way to avoid this process_limit errors and configure dovecot the best way?
Greetings
Andreas
On -10.01.-28163 20:59, Andreas Meyer wrote:
What is the best way to avoid this process_limit errors and configure dovecot the best way?
Which limits exactly your users' activities count against depends on what protocols they're using. (Example: N parallel IMAPS connections with (default setting) *individual* imap-login processes require the process_limit of the imap and imap-login services to be at least N, occupy 2xN in the client_limit of the auth service, and need the client_limit of the anvil service to be at least about N+100.) Your "fd limit (ulimit -n)" warning is about an adjustment you must make in the OS' config (the exact place/method, in turn, being distrib dependent). Note that a single client may well hold *several* IMAP(S) connections open in parallel, too. And that your server will need to have the CPU and RAM to run that many processes ...
How much overhead you're willing to provide beyond the current (or expected, or theoretical-max) needs of your users is up to you to decide, but since there's always the possibility of some malfunction or attack tearing into your limited ressources, you should *monitor* the usage, anyway.
Kind regards, J. Bern
*NEU* - NEC IT-Infrastruktur-Produkte im http://www.linworks-shop.de/: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH http://www.LINworks.de/ Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
Andreas Meyer wrote:
Hello all!
# dovecot --version 2.1.17
Sometimes I have this in the logfile:
May 11 16:55:52 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped May 11 17:35:03 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped May 11 17:36:27 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped
I then put this in the dovecot.conf
service imap-login { service_count = 1 process_min_avail = 50 #process_limit = $default_process_limit process_limit = 10000 vsz_limit = 64M }
and get this:
May 11 18:19:36 master: Info: Dovecot v2.1.17 starting up (core dumps disabled) May 11 18:19:36 config: Warning: service auth { client_limit=1000 } is lower than required under max. load (10300) May 11 18:19:36 config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (10203)
Puting this in:
service auth { client_limit = 10300 unix_listener auth-userdb { mode = 0666 user = vmail group = vmail } }
service anvil { client_limit = 10300 }
I get this:
May 11 18:27:37 delta.bitcorner.eu dovecot[3989]: Warning: fd limit (ulimit -n) is lower than required under max. load (1024< 10300), because of service auth { client_limit }
I says that if Dovecot auth process tries to service all 10300 clients, it'll open too many file descriptors and run into a limit. In other words, you configured 10300 but it's not able to service more than 1000.
Try adding ulimit -n 32768 somewhere before Dovecot is executed (I put it into /etc/default/dovecot on Debian), that should clear the warning.
I have also seen this today:
May 11 13:14:05 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) May 11 13:14:05 auth: Error: read(anvil-auth-penalty) failed: EOF May 11 13:14:05 auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
Signal 15 is TERM, it's used by init scripts to stop Dovecot. Those errors seem to me like a result of one process (auth) trying to communicate with another (anvil), which was already shutting down. Doesn't strike me as a problem (but I may be wrong ofc)
participants (3)
-
Andreas Meyer
-
Jiri Bourek
-
Jochen Bern