Understanding filesystem quotas
Hello:
I've been trying to set up filesystem quotas for IMAP, and cannot seem to get it to work. In IMAP clients it either shows quota unavailable or unknown. I've read the documentation several times.
I've enabled the quota plugins and to my knowledge that part is good. I've edited the file 90-quota.conf and uncommented these lines and set them as follows:
plugin { quota_rule = *:storage=1G }
plugin { quota = fs:User quota:user }
To my knowledge, this should enable filesystem quotas by user. However when I run "doveadm quota get -u username", it shows:
Quota name Type Value Limit % User quota STORAGE 0 - 0
So basically all zeros. I've also tried running "doveadm -Dv quota get -u username" and don't see anything that stands out or that would indicate an issue. It shows the correct block device and such. I know filesystem quotas are working as I can run "quota username" and it shows the usage.
The reason I picked filesystem quotas is because we have /var/spool/mail/username (spool file), and /home/username/mail on the same partition, and because it sounds like it's fast and doesn't require disk I/O. But I'm trying to also figure out by setting the "storage=" command in Dovecot, do I even need to set a hard and soft limit on the filesystem quota then? I would prefer to let Dovecot enforce quotas rather than rely on the filesystem quota mechanism, but keep disk I/O down.
Any help would be greatly appreciated on this. Thank you.
-- Chris
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 13 Nov 2014, Chris Szilagyi wrote:
I've enabled the quota plugins and to my knowledge that part is good. I've edited the file 90-quota.conf and uncommented these lines and set them as follows:
plugin { quota_rule = *:storage=1G }
plugin { quota = fs:User quota:user }
To my knowledge, this should enable filesystem quotas by user. However when I run "doveadm quota get -u username", it shows:
Quota name Type Value Limit % User quota STORAGE 0 - 0
So basically all zeros. I've also tried running "doveadm -Dv quota get -u username" and don't see anything that stands out or that would indicate an issue. It shows the correct block device and such. I know filesystem quotas are working as I can run "quota username" and it shows the usage.
Are you sure, that you:
- have enabled quotas on /home/username/mail,
- have reloaded Dovecot after config change,
- have read dovecot logs, if there are errors, and
- maybe you need to configure a limit, in order to enable quotas in Dovecot at all.
- maybe try the mount=<path> option, http://wiki2.dovecot.org/Quota/FS
then? I would prefer to let Dovecot enforce quotas rather than rely on the filesystem quota mechanism, but keep disk I/O down.
Dunno if "rely" sounds like you don't trust it ;-) But you should place INDEXes somewhere else, if you enforce quota via file system.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVGWv+nz1H7kL/d9rAQItSAf/X0kPLMAFkr0u6FxN7UqVpV2HB7OGLGUE kD4d9Q8a26lR4xxOy1QpTyOC6NzVO+uX+Hutsn4inZN61EIBy0r/Y2b0sS9YNbir XG76V0mTB8+zfY0Av7nX3jCYNaxnfiZeqltd4D7u+es71QXvLyCbYfIVB/ZuzsTj P/KxurHflvbDeqVT89hFZnRpUQdFZXLFQeMAjAtBl9uvmtrItemlY7rsXhoqNPg8 0tEvvjYKt1diNGDRqczstB3wCUb7ixkhPvy3O8Mff8HzMW5n9sVbjTu4NIsAjWRS lNejGaPQtMLZutvOLxVuMz5Xa6U4Ct14iStlncwg6YQiL9sOGcDKYA== =isFV -----END PGP SIGNATURE-----
- have enabled quotas on /home/username/mail,
- have reloaded Dovecot after config change,
- have read dovecot logs, if there are errors, and
- maybe you need to configure a limit, in order to enable quotas in Dovecot at all.
Tried on my server, seems like you're right - Dovecot is ignoring quota_rule userdb field and grabs the soft limit from the filesystem.
- maybe try the mount=<path> option, http://wiki2.dovecot.org/Quota/FS
then? I would prefer to let Dovecot enforce quotas rather than rely on the filesystem quota mechanism, but keep disk I/O down.
Dunno if "rely" sounds like you don't trust it ;-) But you should place INDEXes somewhere else, if you enforce quota via file system.
Agree to that - if you count control/index directories towards user's quota and enforce it on filesystem level, users most likely won't be able to login and delete mail when they reach it.
- have enabled quotas on /home/username/mail,
- have reloaded Dovecot after config change,
- have read dovecot logs, if there are errors, and
- maybe you need to configure a limit, in order to enable quotas in Dovecot at all.
Tried on my server, seems like you're right - Dovecot is ignoring quota_rule userdb field and grabs the soft limit from the filesystem.
OK good to know. So it sounds like Dovecot is relying on the filesystem quota system to do the enforcement. This makes sense, and explains why the Dovecot index files should be in an area outside of quotas.
Thanks for your help.
-- Chris
On 14.11.2014 15:29, Chris Szilagyi wrote:
- have enabled quotas on /home/username/mail,
- have reloaded Dovecot after config change,
- have read dovecot logs, if there are errors, and
- maybe you need to configure a limit, in order to enable quotas in Dovecot at all.
Tried on my server, seems like you're right - Dovecot is ignoring quota_rule userdb field and grabs the soft limit from the filesystem.
OK good to know. So it sounds like Dovecot is relying on the filesystem quota system to do the enforcement.
Don't think so. From my experience when you have different soft and hard filesystem quota, Dovecot enforces the quota even when filesystem would allow writing more data (ie. when you are above soft quota but under hard quota.)
Are you sure, that you:
- have enabled quotas on /home/username/mail,
If you mean filesystem quotas, then yes. In our environment, /home is symlinked to another local disk /volume/home, and the quotas are set on /volume
- have reloaded Dovecot after config change,
Definitely have done that.
- have read dovecot logs, if there are errors, and
Quite a while after testing and posting this, these errors started showing up in /var/log/maillog ... I'm currently investigating. This may be part of the issue.
dovecot: imap(username): Error: quotactl(Q_GETQUOTA, /dev/sdb1) failed: Permission denied
- maybe you need to configure a limit, in order to enable quotas in Dovecot at all.
By this do you mean a user limit? I've set the default limit with "quota_rule = *:storage=1G".
We aren't using a userdb so I tried using the passwd file method by appending the text "userdb_quota_rule=*:bytes=100M" to the end of the entries in /etc/passwd. So far this hasn't made any difference either, and even when doing that, doveadm still doesn't see what the user's limit is set to, it just shows zero (0). This puzzles me as I would think that it would at least show what the default limit is.
- maybe try the mount=<path> option, http://wiki2.dovecot.org/Quota/FS
I have tried that as well, so far no luck.
then? I would prefer to let Dovecot enforce quotas rather than rely on the filesystem quota mechanism, but keep disk I/O down.
Dunno if "rely" sounds like you don't trust it ;-) But you should place INDEXes somewhere else, if you enforce quota via file system.
Yes I did catch that in the documentation. I am currently looking at doing that after I get quotas working.
I am still unclear as to how Dovecot actually enforces quotas when using the filesystem. I understand it must use the filesystem quotas for looking at the current disk usage for a user, but can Dovecot enforce the quotas on its own (for example, if I set the hard and soft limits of the user to 0 for filesystem quotas) or does Dovecot rely on the filesystem quotas to do the enforcement?
Thank you again for the help. I will post back any additional information if I am able to get further on this.
-- Chris
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 14 Nov 2014, Chris Szilagyi wrote:
- have read dovecot logs, if there are errors, and
Quite a while after testing and posting this, these errors started showing up in /var/log/maillog ... I'm currently investigating. This may be part of the issue.
dovecot: imap(username): Error: quotactl(Q_GETQUOTA, /dev/sdb1) failed: Permission denied
This is the reason, you do not get any "current" information about the quota
Do you have SELinux in action? Run "sestatus" and "grep -i AVC /var/log/audit/audit.log" to identify SELinux caused denials,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVGYjBXz1H7kL/d9rAQImVggAyEsEWYaTW0jP0LXdgV4s6zLKp1TkY+PW 7XukkU8YVvqqTenMrfZXKXGIdMj/DuKIs/AEe3YWcUH7R9x9gm8RJkcltdh2vgwY aeOrrNMAP4qn62EaHhlCccaKBVMEZbTRdsrz7kyBCn3t7DtHbJ9V4yWemtGZ1eg4 zWey9J4VONZZXU707xIkiXNaZox2MF3RPCJKVvSnLn5cY2NgqwHvjtil94g4qG1S K5q4BQdLURkgbAmDbo0Vs/GJQM4zD0E23zGMpFVqeVofROiwftA81MTf4t32MZ9+ UgoGJko/2hVsA14U/Ic5/iH91jgoHI6L8YzuxUpdn2uZft5T+WgeUw== =L2Jy -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 14 Nov 2014, Chris Szilagyi wrote:
- have read dovecot logs, if there are errors, and
Quite a while after testing and posting this, these errors started showing up in /var/log/maillog ... I'm currently investigating. This may be part of the issue.
dovecot: imap(username): Error: quotactl(Q_GETQUOTA, /dev/sdb1) failed: Permission denied
This is the reason, you do not get any "current" information about the quota
Do you have SELinux in action? Run "sestatus" and "grep -i AVC /var/log/audit/audit.log" to identify SELinux caused denials,
Yes, I do use SELinux. I have tried setting "setenforce 0" however just as you mentioned these show up in the audit.log which I just found as well:
type=AVC msg=audit(1415935621.946:8005): avc: denied { quotaget } for pid=27701 comm="imap" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I ended up following instructions in a SELinux FAQ to allow dovecot to use quotaget. Seems that Dovecot is still not reporting any quota usage though:
Quota name Type Value Limit % User quota STORAGE 0 - 0
I also did a check by running "quota username" and it shows the hard/soft values set correctly.
These are the steps I went through to correct the SELinux issue:
audit2allow -m local -l -i /var/log/audit/audit.log > dovecotquotaget.te
Edit and take out other lines in this file not pertaining to the quotaget issue.
checkmodule -M -m -o dovecotquotaget.mod dovecotquotaget.te semodule_package -o dovecotquotaget.pp -m dovecotquotaget.mod semodule -i dovecotquotaget.pp
I noticed this before but it doesn't seem that it queries quota usage every time the user connects via IMAP. I know this because I wasn't always getting the "Permission denied" errors until a while after I enabled quotas.
If you have any further ideas please let me know. Thank you very much once again.
-- Chris
On 11/14/2014 11:57 AM, Chris Szilagyi wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 14 Nov 2014, Chris Szilagyi wrote:
- have read dovecot logs, if there are errors, and Quite a while after testing and posting this, these errors started showing up in /var/log/maillog ... I'm currently investigating. This may be part of the issue.
dovecot: imap(username): Error: quotactl(Q_GETQUOTA, /dev/sdb1) failed: Permission denied This is the reason, you do not get any "current" information about the quota
Do you have SELinux in action? Run "sestatus" and "grep -i AVC /var/log/audit/audit.log" to identify SELinux caused denials,
I've resolved the SELinux issues but still it refuses to read filesystem quotas. As a test I switched the quota plugin to use the "dirsize" backend instead of "fs", and quotas are now working great! I mis-read this before about using "dirsize" thinking that it would be slow for mbox format, but it seems to only be slow for the maildir format. I'm assuming this is because mbox only has one file per folder. We use mbox so we're good to go.
Thanks again for everyone's help.
-- Chris
participants (3)
-
Chris Szilagyi
-
Jiri Bourek
-
Steffen Kaiser