setting service_count results in Permission denied
The load on our machines has gotten too high, so I started to see log messages that directed me to look at this page for config changes:
https://pad.riseup.net/redirect#http%3A//wiki2.dovecot.org/SocketUnavailable
One of the things I wanted to do on that page was to set the:
service imap { service_count = 100 }
but when I added that to the service imap block, and restarted dovecot, I see this in the logs: Error: net_connect_unix(/run/dovecot/imap-postlogin) failed: Permission denied
I dont understand how this impacts permissions. Its clearly this setting, because when I remove it, things work again. I found nothing else in the logs indicating a configuration problem.
This is what the config block looked like:
service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = 256M # Max. number of IMAP processes (connections) process_limit = 4096 service_count = 100 executable = imap imap-postlogin }
service imap-postlogin { # the script process runs as the user specified here (v2.0.14+): #user = $default_internal_user
executable = script-login /usr/local/sbin/postlogin_imap
# this UNIX socket listener must use the same name as given to imap executable unix_listener imap-postlogin { } }
This is with dovecot 2.2.13, thanks for any help you can provide!
micah
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 6 Apr 2015, Micah Anderson wrote:
service imap { service_count = 100 }
where do you put this config line?
but when I added that to the service imap block, and restarted dovecot, I see this in the logs: Error: net_connect_unix(/run/dovecot/imap-postlogin) failed: Permission denied
I dont understand how this impacts permissions. Its clearly this setting, because when I remove it, things work again. I found nothing else in the logs indicating a configuration problem.
This is what the config block looked like:
service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = 256M # Max. number of IMAP processes (connections) process_limit = 4096 service_count = 100 executable = imap imap-postlogin }
please run:
doveconf -a >without_service_count add service_count doveconf -a >with_service_count
Then compare the section "service imap" and "imap-postlogin" for changes.
service imap-postlogin { # the script process runs as the user specified here (v2.0.14+): #user = $default_internal_user
executable = script-login /usr/local/sbin/postlogin_imap
# this UNIX socket listener must use the same name as given to imap executable unix_listener imap-postlogin { } }
This is with dovecot 2.2.13, thanks for any help you can provide!
micah
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVSPNi3z1H7kL/d9rAQKCxgf+Ln7JJDI6dznH8kDPpEmDm9MNTxj/7X7T k7+6pi40xrvIWHRR+gTgh4ntzQ7ur8U8AceSEJgGb7zCQ6PvI9dFRJ1U6HMThA57 vE/W74CHGLQCNYkGEw7h7CJULu5AiJk2uj6iYt0nUKZCgLryTONFMMsgBAUewcRE OcGgHZwyOhL+CSvj9kaZ5gTDbtMxCx6b78JtWZ864ltcDeikfoN5Evlal4BRsMmA DXC5auovPJ/4zRQRiWwDCeS2LEBVESnDgRH5GMx1kQg33PtTeo7nsyTgKX7Y1twd DVTFKCTjpghFSwDmHonCOGSKw/mm+KklWicWVv6C7tujcd6ev7vjrg== =DLl+ -----END PGP SIGNATURE-----
Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 6 Apr 2015, Micah Anderson wrote:
service imap { service_count = 100 }
where do you put this config line?
I put it as I indicated in the config block below:
service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = 256M # Max. number of IMAP processes (connections) process_limit = 4096 service_count = 100
^^^ here
executable = imap imap-postlogin }
please run:
doveconf -a >without_service_count add service_count doveconf -a >with_service_count
Then compare the section "service imap" and "imap-postlogin" for changes.
Thanks for the idea. I just did this (I dont need to restart dovecot, am I right?)... but the only thing that changes is 'service imap', changing service_count = 1 to service_count = 100
On 06 Apr 2015, at 23:28, Micah Anderson <micah@riseup.net> wrote:
but when I added that to the service imap block, and restarted dovecot, I see this in the logs: Error: net_connect_unix(/run/dovecot/imap-postlogin) failed: Permission denied
imap process can't connect to imap-postlogin after it has already dropped privileges to the mail user (first time it runs as root).
service imap-postlogin { # the script process runs as the user specified here (v2.0.14+): #user = $default_internal_user
executable = script-login /usr/local/sbin/postlogin_imap
# this UNIX socket listener must use the same name as given to imap executable unix_listener imap-postlogin { # whatever user/mode permissions needed in here, for example: user = vmail } }
participants (4)
-
micah
-
Micah Anderson
-
Steffen Kaiser
-
Timo Sirainen