I went from a nightly of about 20051117 or so (about alpha4 generation) to 1.0beta1 yesterday, and dovecot is now spinning the CPU furiously apparently every ~10 minutes per: Jan 18 13:04:36 server dovecot: SSL parameters regeneration completed Jan 18 13:14:14 server dovecot: SSL parameters regeneration completed Jan 18 13:24:00 server dovecot: SSL parameters regeneration completed Jan 18 13:37:09 server dovecot: SSL parameters regeneration completed Jan 18 13:44:21 server dovecot: SSL parameters regeneration completed Jan 18 13:54:37 server dovecot: SSL parameters regeneration completed Jan 18 14:04:03 server dovecot: SSL parameters regeneration completed Jan 18 14:14:58 server dovecot: SSL parameters regeneration completed Jan 18 14:24:03 server dovecot: SSL parameters regeneration completed Jan 18 14:34:18 server dovecot: SSL parameters regeneration completed Jan 18 14:44:11 server dovecot: SSL parameters regeneration completed Jan 18 14:53:44 server dovecot: SSL parameters regeneration completed Jan 18 15:04:16 server dovecot: SSL parameters regeneration completed Jan 18 15:13:59 server dovecot: SSL parameters regeneration completed Jan 18 15:25:22 server dovecot: SSL parameters regeneration completed Jan 18 15:33:58 server dovecot: SSL parameters regeneration completed Jan 18 15:44:03 server dovecot: SSL parameters regeneration completed Jan 18 15:54:13 server dovecot: SSL parameters regeneration completed Note that this is not the DH parameter generation; that completed on the first run, as documented. This is impacting other processes on the machine, and it seems a bit of a radical change. Is the internal default meant to be this short...? I'm going to attempt to set "ssl_parameters_regenerate" explicitly, but I'd like to stick with builtin defaults wherever possible. (Perhaps this regeneration could also be made a little friendlier on the machine, by forking and using setpriority() to lower the CPU demand of this work from the default nice level of the main daemon.) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Wed, 18 Jan 2006, Todd Vierling wrote:> I went from a nightly of about 20051117 or so (about alpha4 generation) to > 1.0beta1 yesterday, and dovecot is now spinning the CPU furiously apparently > every ~10 minutes per:> Jan 18 15:33:58 server dovecot: SSL parameters regeneration completed > Jan 18 15:44:03 server dovecot: SSL parameters regeneration completed > Jan 18 15:54:13 server dovecot: SSL parameters regeneration completedAfter setting "ssl_parameters_regenerate" to the explicit value of 168, it's still happening this often. I now set it to 0 to disable regeneration for the moment. I wonder if there's bad arithmetic somewhere that is causing this process to run much more often than it should...? -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
I applied the patch to master-settings.c and the problem is still there Jan 19 20:01:51 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:13:02 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:21:33 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:33:17 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:42:03 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:52:12 foxmulder dovecot: SSL parameters regeneration completed foxmulder:~$ uname -srp FreeBSD 6.0-RELEASE-p3 i386 foxmulder:etc$ grep ssl dovecot.conf ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem ssl_parameters_regenerate = 48 Timo Sirainen wrote:> On Wed, 2006-01-18 at 18:40 -0500, Todd Vierling wrote: >> On Wed, 18 Jan 2006, Todd Vierling wrote: >> >>> After setting "ssl_parameters_regenerate" to the explicit value of 168, it's >>> still happening this often. I now set it to 0 to disable regeneration for >>> the moment. >> And it's still happening every 10-ish minutes. Thoughts? > > Happens with 64bit systems. Fix in CVS and here: > > Index: src/master/master-settings.c > ==================================================================> RCS file: /var/lib/cvs/dovecot/src/master/master-settings.c,v > retrieving revision 1.105 > diff -u -r1.105 master-settings.c > --- src/master/master-settings.c 18 Jan 2006 23:14:45 -0000 1.105 > +++ src/master/master-settings.c 19 Jan 2006 20:38:31 -0000 > @@ -64,7 +64,7 @@ > DEF(SET_STR, ssl_cert_file), > DEF(SET_STR, ssl_key_file), > DEF(SET_STR, ssl_key_password), > - DEF(SET_STR, ssl_parameters_regenerate), > + DEF(SET_INT, ssl_parameters_regenerate), > DEF(SET_STR, ssl_cipher_list), > DEF(SET_BOOL, ssl_verify_client_cert), > DEF(SET_BOOL, disable_plaintext_auth), >
I tried your patch again b2 and I am still having the same problem. Jan 22 17:57:30 foxmulder dovecot: Dovecot v1.0.beta2 starting up Jan 22 17:57:30 foxmulder dovecot: ssl_parameters_regenerate = 48 Jan 22 17:58:30 foxmulder dovecot: SSL parameters regeneration completed Jan 22 18:07:31 foxmulder dovecot: ssl_parameters_regenerate = 48 Jan 22 18:07:43 foxmulder dovecot: SSL parameters regeneration completed Btw, my machine is only i386, not 64bits. Let me know if you need anything else. Timo Sirainen wrote:> On Sun, 2006-01-22 at 23:26 +0800, John Wong wrote: >> i upgrade 1.0-beta1 to cvs version, i use openbsd/i386 >> i tried this 3 settings >> ----------------------------------------------------------------- >> ssl_parameters_regenerate = 0 >> ssl_parameters_regenerate = 68 >> #ssl_parameters_regenerate = 168 (default) >> ----------------------------------------------------------------- >> all setting have this problem too (every 10mins regen SSL) > > Could you try what it writes to logs with this patch: > > diff -u -r1.21 ssl-init.c > --- src/master/ssl-init.c 22 Jan 2006 10:50:54 -0000 1.21 > +++ src/master/ssl-init.c 22 Jan 2006 16:16:14 -0000 > @@ -98,6 +98,7 @@ > are correct */ > regen_time = set->ssl_parameters_regenerate == 0 ? ioloop_time : > st.st_mtime + (time_t)(set->ssl_parameters_regenerate*3600); > + i_info("ssl_parameters_regenerate = %d", set->ssl_parameters_regenerate); > if (regen_time < ioloop_time || st.st_size == 0 || > st.st_uid != master_uid || st.st_gid != getegid()) { > if (foreground) { >
Jan 23 00:38:03 foxmulder dovecot: Dovecot v1.0.beta2 starting up Jan 23 00:38:03 foxmulder dovecot: 1137994456 + 172800 (1138167256) < 1137994683, size=230, uid=0 vs 0, gid=87 vs 0 Jan 23 00:38:21 foxmulder dovecot: SSL parameters regeneration completed Jan 23 00:48:04 foxmulder dovecot: 1137994701 + 172800 (1138167501) < 1137995284, size=230, uid=0 vs 0, gid=87 vs 0 Jan 23 00:48:32 foxmulder dovecot: SSL parameters regeneration completed Jan 23 00:58:04 foxmulder dovecot: 1137995312 + 172800 (1138168112) < 1137995884, size=230, uid=0 vs 0, gid=87 vs 0 Jan 23 00:58:39 foxmulder dovecot: SSL parameters regeneration completed Timo Sirainen wrote:> On 23.1.2006 01:11, "Peter Chiu" <pc8888@gmail.com> wrote: > >> I tried your patch again b2 and I am still having the same problem. >> >> Jan 22 17:57:30 foxmulder dovecot: Dovecot v1.0.beta2 starting up >> Jan 22 17:57:30 foxmulder dovecot: ssl_parameters_regenerate = 48 >> Jan 22 17:58:30 foxmulder dovecot: SSL parameters regeneration completed >> Jan 22 18:07:31 foxmulder dovecot: ssl_parameters_regenerate = 48 >> Jan 22 18:07:43 foxmulder dovecot: SSL parameters regeneration completed > > Hmm. Maybe the file's timestamp is wrong or the uid/gid. Try this patch: > > http://dovecot.org/tmp/ssl-regen-debug.diff > >
I tried to set the guid, howerver dovecot reset it back to the way it was. Did I do something wrong? foxmulder:dovecot# ll total 8 drwxr-xr-x 3 root wheel 512 Jan 23 01:03 . drwxr-xr-x 7 root wheel 512 Jan 18 05:13 .. srw------- 1 root wheel 0 Jan 23 01:03 auth-worker.54141 drwxr-x--- 2 root dovecot 512 Jan 23 01:54 login -rw------- 1 root wheel 6 Jan 23 01:03 master.pid foxmulder:dovecot# chmod 2750 login foxmulder:dovecot# ll total 8 drwxr-xr-x 3 root wheel 512 Jan 23 01:03 . drwxr-xr-x 7 root wheel 512 Jan 18 05:13 .. srw------- 1 root wheel 0 Jan 23 01:03 auth-worker.54141 drwxr-s--- 2 root dovecot 512 Jan 23 01:54 login -rw------- 1 root wheel 6 Jan 23 01:03 master.pid foxmulder:dovecot# /usr/local/etc/rc.d/210.dovecot.sh start Warning: Corrected permissions for login directory /var/run/dovecot//login foxmulder:dovecot# ll total 8 drwxr-xr-x 3 root wheel 512 Jan 23 01:58 . drwxr-xr-x 7 root wheel 512 Jan 18 05:13 .. srw------- 1 root wheel 0 Jan 23 01:57 auth-worker.64310 drwxr-x--- 2 root dovecot 512 Jan 23 01:58 login -rw------- 1 root wheel 6 Jan 23 01:57 master.pid Timo Sirainen wrote:> On Mon, 2006-01-23 at 01:07 -0500, Peter Chiu wrote: >> Jan 23 00:38:03 foxmulder dovecot: Dovecot v1.0.beta2 starting up >> Jan 23 00:38:03 foxmulder dovecot: 1137994456 + 172800 (1138167256) < >> 1137994683, size=230, uid=0 vs 0, gid=87 vs 0 > > So, the GID is wrong. Does your /var/run/dovecot/login directory (or > wherever the ssl-parameters file exists) have setgid-bit set? > > Maybe I should make it change the group just in case anyway. >
Yay. It works. SSL regenerated statement is gone. I was using alpha and upgraded to b1, b2 afterward. login directory is root:dovecot and when you create a brand new ssl-parameters.dat in freebsd, it inherited the gid (87) from the directory. I chgrp it to wheel and it works now. Thanks. -rw-r--r-- 1 root wheel 230 Jan 23 02:18 ssl-parameters.dat Jan 23 02:19:39 foxmulder dovecot: Dovecot v1.0.beta2 starting up Jan 23 02:19:39 foxmulder dovecot: 1138000736 + 172800 (1138173536) < 1138000779, size=230, uid=0 vs 0, gid=0 vs 0 Jan 23 02:29:40 foxmulder dovecot: 1138000736 + 172800 (1138173536) < 1138001380, size=230, uid=0 vs 0, gid=0 vs 0 Timo Sirainen wrote:> On 23.1.2006 09:04, "Peter Chiu" <pc8888@gmail.com> wrote: > >> I tried to set the guid, howerver dovecot reset it back to the way it >> was. Did I do something wrong? > > No, I meant that you shouldn't have had it if it was there for some reason. > > Well, try then just "chgrp root ssl-parameters.dat" and that should work. > But I still don't know why it would get created with GID 87 (dovecot?) > instead of root. > >