[Dovecot] Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Hello,
I'am following the beginning tutorial on the Wiki, but actually, I can't even start the server correctly so far. The imap-login child dies immediately. What I can guess from the log is that it tries some unpermietted operations on some files but I can't find out which files are concerned.
Google is not my friend at all either on this matter. How can I know which files are concerned ?
Some infos that might help :
[root@Aries ~]# dovecot -n # 1.1.6: /etc/dovecot.conf # OS: Linux 2.6.27.14-server-1mnb i686 Mandriva Linux release 2009.0 (Official) for i586 ext3 ssl_cert_file: /etc/pki/tls/certs/dovecot.pem ssl_key_file: /etc/pki/tls/private/dovecot.pem login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:/var/mail/%n auth default: passdb: driver: passwd-file args: /etc/passwd.dovecot userdb: driver: passwd
[root@Aries ~]# ls -ld /var/mail drwxrwx--x 3 root mail 4096 2009-03-10 18:06 /var/mail/
[root@Aries ~]# service dovecot start
And here is what I get in the /var/log/syslog file :
Mar 10 20:00:47 aries dovecot: Dovecot v1.1.6 starting up Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted Mar 10 20:00:48 aries dovecot: Temporary failure in creating login processes, slowing down for now Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Thanks
Jérôme Blanc OpenPGP : 1024D/F44DB96C
Le mardi 10 mars 2009 à 15:08, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-10 at 20:06 +0100, Jérôme Blanc wrote:
Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Do you have SELinux or AppArmor or something similar enabled, which denies this syscall?
Mmm, I installed the Mandriva with a default security level of Paranoid (the highest), opening things as I need it. So I guess it's possible but I don't really know how I can tell something like this is installed.
I found out that there is a /etc/apparmor.d folder so I guess at least that one is installed. Insied that folder however, no file seems related to dovecot.
Jérôme Blanc OpenPGP : 1024D/F44DB96C
Hello,
By the way, do you know what this syscall is expected to do ?
If we make the assumption that I have AppArmor enabled, (cf my other answer mail), is there any way I can deactivate it only for Dovecot ?
Or, even better, is there a way I can just make AppAmor allow what actually prevents dovecot from working, withouth deactivating it only for dovecot ?
Thanks,
Le mardi 10 mars 2009 à 15:08, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-10 at 20:06 +0100, Jérôme Blanc wrote:
Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Do you have SELinux or AppArmor or something similar enabled, which denies this syscall?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
On Mar 11, 2009, at 7:37 PM, Jérôme Blanc wrote:
By the way, do you know what this syscall is expected to do ?
It's a very important syscall that takes care of I/O polling.
If we make the assumption that I have AppArmor enabled, (cf my other answer mail), is there any way I can deactivate it only for Dovecot ?
Probably.
Or, even better, is there a way I can just make AppAmor allow what actually prevents dovecot from working, withouth deactivating it only for dovecot ?
Yes.
But I've no idea about how to configure either Mandriva or AppArmor.
Hellooo again :x
I checked more thoroughly my system and actually I don't have apparmor installed, neither do I have SELinux
# rpm -qa | grep armor # # rpm -qa | grep selinux #
The few apparmor related files actually did belong to the packages relevant to their application (nettool package for the netstat apparmor file for exemple). Well anyway my assumption was wrong.
# urpmf /etc/apparmor.d/bin.netstat
net-tools:/etc/apparmor.d/bin.netstat #
Does someone can think of another reason that could prevent the syscall to happen ?
Thanks
Le mardi 10 mars 2009 à 15:08, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-10 at 20:06 +0100, Jérôme Blanc wrote:
Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Do you have SELinux or AppArmor or something similar enabled, which denies this syscall?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
Hello,
I'm trying to investigate the matter with the few informations I could get so far.
I tried making the security level at the lowest possible with no better luck. I also tried another kernel in case.
Is there any way I can know which files it tries to poll ? It could help me investigate.
Thanks !
Le mardi 10 mars 2009 à 15:08, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-10 at 20:06 +0100, Jérôme Blanc wrote:
Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Do you have SELinux or AppArmor or something similar enabled, which denies this syscall?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
Hello again,
I might have more informations about the matter. I modified dovecot's configuration file so that when calling imap-login it will call it through strace.
From what I could understand (I'm not really confident with that output yet ;-)), it seems that epoll_ctl are not blocked as one could occur before the failing one.
I attached a text file with the strace output as copying it in an email would be awful to read with the 80 characters limit.
Hope this help better understand the problem. Thanks !
Le mardi 24 mars 2009 à 18:11, Jérôme Blanc <jerome.blanc@nerim.net> a écrit :
Hello,
I'm trying to investigate the matter with the few informations I could get so far.
I tried making the security level at the lowest possible with no better luck. I also tried another kernel in case.
Is there any way I can know which files it tries to poll ? It could help me investigate.
Thanks !
Le mardi 10 mars 2009 à 15:08, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-10 at 20:06 +0100, Jérôme Blanc wrote:
Mar 10 20:00:48 aries dovecot: Fatal: imap-login: io_loop_handle_add: epoll_ctl(1, 4): Operation not permitted
Do you have SELinux or AppArmor or something similar enabled, which denies this syscall?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
On Tue, 2009-03-24 at 20:08 +0100, Jérôme Blanc wrote:
I attached a text file with the strace output as copying it in an email would be awful to read with the 80 characters limit.
Well, that did look interesting. The problem is that the listener socket isn't passed from master process to login process. Could you try if it fails with a different error with the attached patch?
Le mardi 24 mars 2009 à 15:28, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-24 at 20:08 +0100, Jérôme Blanc wrote:
I attached a text file with the strace output as copying it in an email would be awful to read with the 80 characters limit.
Well, that did look interesting. The problem is that the listener socket isn't passed from master process to login process. Could you try if it fails with a different error with the attached patch?
Seems it's not that much different (at least in the log file ^^). I attached the strace as before.
However, you need to know for a proper interpration that in order to try your patch, instead of the Mandriva RPM, I compiled myself from the dovecot website source. The version is a bit different and any special stuff prepared by the package has not been done (I don't know if there is any actually ^^). This at least explain the differences in some paths, as well as that not all the same libraries might be called.
Nonetheless, I still have the same error so it must not be that different.
Hope this can still help ;-) Thanks !
Jérôme Blanc OpenPGP : 1024D/F44DB96C
On Tue, 2009-03-24 at 22:42 +0100, Jérôme Blanc wrote:
However, you need to know for a proper interpration that in order to try your patch, instead of the Mandriva RPM, I compiled myself from the dovecot website source. The version is a bit different and any special stuff prepared by the package has not been done (I don't know if there is any actually ^^). This at least explain the differences in some paths, as well as that not all the same libraries might be called.
Oh. Then I bet this patch will give you a different error: http://hg.dovecot.org/dovecot-1.1/rev/bf79d802a0fb
Le mardi 24 mars 2009 à 18:02, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-24 at 22:42 +0100, Jérôme Blanc wrote:
However, you need to know for a proper interpration that in order to try your patch, instead of the Mandriva RPM, I compiled myself from the dovecot website source. The version is a bit different and any special stuff prepared by the package has not been done (I don't know if there is any actually ^^). This at least explain the differences in some paths, as well as that not all the same libraries might be called.
Oh. Then I bet this patch will give you a different error: http://hg.dovecot.org/dovecot-1.1/rev/bf79d802a0fb
Well ... it doesn't seem so. Just to make sure I am doing it the proper way, I will list what I did to get the result :
Follow your link and copy the content of the patch in a local file named dovecot-diff-02.patch
Apply the commande $ patch src/login-common/main.c dovecot-diff-02.patch
$ make
# make uninstall
# make install
# strace -o strace-dovecot dovecot
From this, I do have the strace result of the imap-login executable which is attached to the email.
For this test, I will restate the dovecot -n command as its output is different since I use the compiled version :
# dovecot -n # 1.1.13: /usr/local/etc/dovecot.conf Warning: There is no way to login to this server: disable_plaintext_auth=yes, ssl-disable=yes, no non-plaintext auth mechanisms. # OS: Linux 2.6.27.19-server-1mnb i686 Mandriva Linux release 2009.0 (Official) for i586 ssl_disable: yes login_dir: /usr/local/var/run/dovecot/login login_executable: /usr/bin/strace -o /root/strace-imap-login /usr/local/libexec/dovecot/imap-login auth default: passdb: driver: pam userdb: driver: passwd
(Well it says there is no way to login but at that stage it's not important as imap-login can't even start. I will bother with reactivating SSL later on)
Also, as you might have noticed, I also added strace output for the dovecot executable itself in case it can be of any use.
Let me know if you need it or any other kind of tests to be done.
Hope this helps Thanks !
Jérôme Blanc OpenPGP : 1024D/F44DB96C
Hello,
just in case it might be useful, as extra information to my previous email, here is the strace of the main dovecot programm.
Hope these elements will help you determine this odd behaviour.
Thanks
Le mardi 24 mars 2009 à 18:02, Timo Sirainen <tss@iki.fi> a écrit :
On Tue, 2009-03-24 at 22:42 +0100, Jérôme Blanc wrote:
However, you need to know for a proper interpration that in order to try your patch, instead of the Mandriva RPM, I compiled myself from the dovecot website source. The version is a bit different and any special stuff prepared by the package has not been done (I don't know if there is any actually ^^). This at least explain the differences in some paths, as well as that not all the same libraries might be called.
Oh. Then I bet this patch will give you a different error: http://hg.dovecot.org/dovecot-1.1/rev/bf79d802a0fb
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
On Mar 26, 2009, at 1:45 PM, Jérôme Blanc wrote:
Hello,
just in case it might be useful, as extra information to my previous email, here is the strace of the main dovecot programm.
Hope these elements will help you determine this odd behaviour.
Could you do strace -f dovecot so that it also traces all the child
processes?
Here you are.
I had to compress it as it's size is much bigger.
Also, the behaviour changed a bit when using the -f option. Usuall, when I start dovecot, it starts the processes and then gives me back the prompt. But with strace -f, it doesn't and I can't even stop it with a Ctrl + C. That is why at the end, you will see that I killed it.
Hope this helps, Thanks !
Le jeudi 26 mars 2009 à 19:10, Timo Sirainen <tss@iki.fi> a écrit :
On Mar 26, 2009, at 1:45 PM, Jérôme Blanc wrote:
Hello,
just in case it might be useful, as extra information to my previous email, here is the strace of the main dovecot programm.
Hope these elements will help you determine this odd behaviour.
Could you do strace -f dovecot so that it also traces all the child
processes?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
Hello,
any chance this might have helped you ? I'm still stucked with this wierd problem and I do not wish to switch to Cyrus ;-)
Thanks !
Le vendredi 27 mars 2009 à 01:26, Jérôme Blanc <jerome.blanc@nerim.net> a écrit :
Here you are.
I had to compress it as it's size is much bigger.
Also, the behaviour changed a bit when using the -f option. Usuall, when I start dovecot, it starts the processes and then gives me back the prompt. But with strace -f, it doesn't and I can't even stop it with a Ctrl + C. That is why at the end, you will see that I killed it.
Hope this helps, Thanks !
Le jeudi 26 mars 2009 à 19:10, Timo Sirainen <tss@iki.fi> a écrit :
On Mar 26, 2009, at 1:45 PM, Jérôme Blanc wrote:
Hello,
just in case it might be useful, as extra information to my previous email, here is the strace of the main dovecot programm.
Hope these elements will help you determine this odd behaviour.
Could you do strace -f dovecot so that it also traces all the child processes?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
OK, how about this: http://hg.dovecot.org/dovecot-1.1/rev/8b6b192498e3
On Wed, 2009-04-01 at 18:16 +0200, Jérôme Blanc wrote:
Hello,
any chance this might have helped you ? I'm still stucked with this wierd problem and I do not wish to switch to Cyrus ;-)
Thanks !
Le vendredi 27 mars 2009 à 01:26, Jérôme Blanc <jerome.blanc@nerim.net> a écrit :
Here you are.
I had to compress it as it's size is much bigger.
Also, the behaviour changed a bit when using the -f option. Usuall, when I start dovecot, it starts the processes and then gives me back the prompt. But with strace -f, it doesn't and I can't even stop it with a Ctrl + C. That is why at the end, you will see that I killed it.
Hope this helps, Thanks !
Le jeudi 26 mars 2009 à 19:10, Timo Sirainen <tss@iki.fi> a écrit :
On Mar 26, 2009, at 1:45 PM, Jérôme Blanc wrote:
Hello,
just in case it might be useful, as extra information to my previous email, here is the strace of the main dovecot programm.
Hope these elements will help you determine this odd behaviour.
Could you do strace -f dovecot so that it also traces all the child processes?
Hello,
it seems much better ! Do you wish to have the strace files ?
By the way, do you have any explanations what could have caused this ? Especially I'm wondering what could make the difference between my two Mandriva 2009.0 systems
I shoud now be able to go further on in the tutorial ;-)
Thanks !
Le mercredi 01 avril 2009 à 12:50, Timo Sirainen <tss@iki.fi> a écrit :
OK, how about this: http://hg.dovecot.org/dovecot-1.1/rev/8b6b192498e3
On Wed, 2009-04-01 at 18:16 +0200, Jérôme Blanc wrote:
Hello,
any chance this might have helped you ? I'm still stucked with this wierd problem and I do not wish to switch to Cyrus ;-)
Thanks !
Le vendredi 27 mars 2009 à 01:26, Jérôme Blanc <jerome.blanc@nerim.net> a écrit :
Here you are.
I had to compress it as it's size is much bigger.
Also, the behaviour changed a bit when using the -f option. Usuall, when I start dovecot, it starts the processes and then gives me back the prompt. But with strace -f, it doesn't and I can't even stop it with a Ctrl + C. That is why at the end, you will see that I killed it.
Hope this helps, Thanks !
Le jeudi 26 mars 2009 à 19:10, Timo Sirainen <tss@iki.fi> a écrit :
On Mar 26, 2009, at 1:45 PM, Jérôme Blanc wrote:
Hello,
just in case it might be useful, as extra information to my previous email, here is the strace of the main dovecot programm.
Hope these elements will help you determine this odd behaviour.
Could you do strace -f dovecot so that it also traces all the child processes?
-- Jérôme Blanc OpenPGP : 1024D/F44DB96C
On Thu, 2009-04-02 at 23:33 +0200, Jérôme Blanc wrote:
Hello,
it seems much better ! Do you wish to have the strace files ?
If it works now, no need.
By the way, do you have any explanations what could have caused this ? Especially I'm wondering what could make the difference between my two Mandriva 2009.0 systems
This happened only when Dovecot was logging to syslog and the syslog socket fd was 4. I don't really know why it would be 4 in some systems and not others, probably depends on different things.
participants (2)
-
Jérôme Blanc
-
Timo Sirainen