[Dovecot] indexer-worker
why this process (which most probably do squat index/update) runs as root, not - like imap process - as user?
29413 root 1 76 0 22820K 9204K kqread 1 0:17 5.86% indexer-worker
On Thu, 2012-06-28 at 07:54 +0200, Wojciech Puchar wrote:
why this process (which most probably do squat index/update) runs as root, not - like imap process - as user?
29413 root 1 76 0 22820K 9204K kqread 1 0:17 5.86% indexer-worker
It runs as root while not really doing anything, but when it starts accessing users' files it temporarily drops privileges. This is necessary if users have multiple different UIDs.
If you have only one UID e.g. vmail, you could set:
service indexer-worker { user = vmail }
There are a couple of ways to do this automatically whenever it's possible.. I guess I'll add those to v2.2.
29413 root 1 76 0 22820K 9204K kqread 1 0:17 5.86% indexer-worker
It runs as root while not really doing anything, but when it starts accessing users' files it temporarily drops privileges. This is necessary if users have multiple different UIDs.
to showed it with root privilege and 60% CPU load+disk I/O when doing text search over not yet indexed folder.
If you have only one UID e.g. vmail, you could set:
i'm not sure what you exactly mean.
I have simplest possible config - mail accounts are unix accounts and mail is at Maildir
my config below
# 2.1.7: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 8.3-STABLE amd64 disable_plaintext_auth = no listen = * mail_location = maildir:~/Maildir mail_plugins = fts fts_squat namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/deny-users deny = yes driver = passwd-file } passdb { driver = pam } plugin { fts = squat fts_squat = partial=4 full=10 } protocols = imap ssl_cert =
On 28.6.2012, at 13.38, Wojciech Puchar wrote:
29413 root 1 76 0 22820K 9204K kqread 1 0:17 5.86% indexer-worker
It runs as root while not really doing anything, but when it starts accessing users' files it temporarily drops privileges. This is necessary if users have multiple different UIDs.
to showed it with root privilege and 60% CPU load+disk I/O when doing text search over not yet indexed folder.
Maybe your ps/kernel shows the process's "real uid" instead of the "effective uid".
If you have only one UID e.g. vmail, you could set:
i'm not sure what you exactly mean.
I have simplest possible config - mail accounts are unix accounts and mail is at Maildir
Yes, so the problem is that if the same indexer-worker process wants to index mails to two different users, it can't drop root privileges completely because otherwise it couldn't switch between the users' UIDs.
Anyway, it would be possible to drop the root privileges completely by servicing only a single indexing request and then stopping the process. This would be worse for performance of course, but it should still be an option. I'll probably add to v2.2.
participants (2)
-
Timo Sirainen
-
Wojciech Puchar