Hi all
I'm facing an issue while running dovecot inside a singularity
(https://sylabs.io/singularity/) container
dovecot version is 2.3.4.1 (configuration below) running on debian
buster, inside a container made with singularity version 3.4.2
unfortunately, when I try to start dovecot, it gives:
Singularity test.sif:~> cat /var/log/mail.log
Dec 30 17:23:38 testnode dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4)
starting up for imap, lmtp, sieve, pop3, submission (core dumps disabled)
Dec 30 17:23:38 testnode dovecot: anvil: Fatal: We couldn't drop root
privileges
Dec 30 17:23:38 testnode dovecot: master: Error: service(anvil): command
startup failed, throttling for 2 secs
the same happens on singularity containers based on debian bullseye or
alpine linux 3.9.2
many thanks!
nzasch
Singularity test.sif:~> doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2
# Hostname: testnode.example.net
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
driver = pam
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve pop3 submission"
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
Marc Roos
2020-Jan-02 12:11 UTC
dovecot cannot drop privileges inside singularity container
Have you tried setting linux capabilities, like
NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the
permissions of paths? I had to relocate the run dir with things like
these
&& mkdir /var/dovecot \
&& mkdir /var/lib/dovecot \
&& (umask 027 ; mkdir /var/dovecot/login) \
&& (umask 022 ; mkdir /var/dovecot/empty) \
&& (umask 027 ; mkdir /var/dovecot/token-login)
-----Original Message-----
From: cesco [mailto:cesco at esiliati.org]
Sent: 30 December 2019 18:32
To: dovecot at dovecot.org
Subject: dovecot cannot drop privileges inside singularity container
Hi all
I'm facing an issue while running dovecot inside a singularity
(https://sylabs.io/singularity/) container
dovecot version is 2.3.4.1 (configuration below) running on debian
buster, inside a container made with singularity version 3.4.2
unfortunately, when I try to start dovecot, it gives:
Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode
dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap,
lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38
testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30
17:23:38 testnode dovecot: master: Error: service(anvil): command
startup failed, throttling for 2 secs
the same happens on singularity containers based on debian bullseye or
alpine linux 3.9.2
many thanks!
nzasch
Singularity test.sif:~> doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version
0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname:
testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
driver = pam
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve pop3 submission"
ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir =
/etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden,
use -P to show it userdb {
driver = passwd
}
Hi, thank you for your response. seems that singularity does not limit capabilities in containers running as root. the capabilities are the same inside and outside of the container. the only difference is that inside the container the securebit SECURE_NO_SETUID_FIXUP is set and locked if this is the reason, perhaps I should find a way to change this securebit setting in singularity thanks nzasch On 02/01/20 13:11, Marc Roos wrote:> > Have you tried setting linux capabilities, like > NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the > permissions of paths? I had to relocate the run dir with things like > these > > && mkdir /var/dovecot \ > && mkdir /var/lib/dovecot \ > && (umask 027 ; mkdir /var/dovecot/login) \ > && (umask 022 ; mkdir /var/dovecot/empty) \ > && (umask 027 ; mkdir /var/dovecot/token-login) > > > > > > -----Original Message----- > From: cesco [mailto:cesco at esiliati.org] > Sent: 30 December 2019 18:32 > To: dovecot at dovecot.org > Subject: dovecot cannot drop privileges inside singularity container > > Hi all > > I'm facing an issue while running dovecot inside a singularity > (https://sylabs.io/singularity/) container > > dovecot version is 2.3.4.1 (configuration below) running on debian > buster, inside a container made with singularity version 3.4.2 > > unfortunately, when I try to start dovecot, it gives: > Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode > dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, > lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 > testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 > 17:23:38 testnode dovecot: master: Error: service(anvil): command > startup failed, throttling for 2 secs > > the same happens on singularity containers based on debian bullseye or > alpine linux 3.9.2 > > many thanks! > nzasch > > Singularity test.sif:~> doveconf -n > # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version > 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: > testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u > mail_privileged_group = mail managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > driver = pam > } > plugin { > sieve = file:~/sieve;active=~/.dovecot.sieve > } > protocols = " imap lmtp sieve pop3 submission" > ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = > /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, > use -P to show it userdb { > driver = passwd > } > >