dovecot cannot drop privileges inside singularity container

Marc Roos M.Roos at f1-outsourcing.eu
Thu Jan 2 14:11:01 EET 2020 

Have you tried setting linux capabilities, like 
NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the 
permissions of paths? I had to relocate the run dir with things like 
these

    && mkdir /var/dovecot \
    && mkdir /var/lib/dovecot \
    && (umask 027 ; mkdir /var/dovecot/login) \
    && (umask 022 ; mkdir /var/dovecot/empty) \
    && (umask 027 ; mkdir /var/dovecot/token-login)



 

-----Original Message-----
From: cesco [mailto:cesco at esiliati.org] 
Sent: 30 December 2019 18:32
To: dovecot at dovecot.org
Subject: dovecot cannot drop privileges inside singularity container

Hi all

I'm facing an issue while running dovecot inside a singularity
(https://sylabs.io/singularity/) container

dovecot version is 2.3.4.1 (configuration below) running on debian 
buster, inside a container made with singularity version 3.4.2

unfortunately, when I try to start dovecot, it gives:
Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode 
dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, 
lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 
testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 
17:23:38 testnode dovecot: master: Error: service(anvil): command 
startup failed, throttling for 2 secs

the same happens on singularity containers based on debian bullseye or 
alpine linux 3.9.2

many thanks!
nzasch

Singularity test.sif:~> doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 
0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: 
testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u 
mail_privileged_group = mail managesieve_notify_capability = mailto 
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve pop3 submission"
ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = 
/etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, 
use -P to show it userdb {
  driver = passwd
}

More information about the dovecot mailing list