Hi all I'm facing an issue while running dovecot inside a singularity (https://sylabs.io/singularity/) container dovecot version is 2.3.4.1 (configuration below) running on debian buster, inside a container made with singularity version 3.4.2 unfortunately, when I try to start dovecot, it gives: Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 17:23:38 testnode dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs the same happens on singularity containers based on debian bullseye or alpine linux 3.9.2 many thanks! nzasch Singularity test.sif:~> doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve pop3 submission" ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd }
Marc Roos
2020-Jan-02 12:11 UTC
dovecot cannot drop privileges inside singularity container
Have you tried setting linux capabilities, like NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the permissions of paths? I had to relocate the run dir with things like these && mkdir /var/dovecot \ && mkdir /var/lib/dovecot \ && (umask 027 ; mkdir /var/dovecot/login) \ && (umask 022 ; mkdir /var/dovecot/empty) \ && (umask 027 ; mkdir /var/dovecot/token-login) -----Original Message----- From: cesco [mailto:cesco at esiliati.org] Sent: 30 December 2019 18:32 To: dovecot at dovecot.org Subject: dovecot cannot drop privileges inside singularity container Hi all I'm facing an issue while running dovecot inside a singularity (https://sylabs.io/singularity/) container dovecot version is 2.3.4.1 (configuration below) running on debian buster, inside a container made with singularity version 3.4.2 unfortunately, when I try to start dovecot, it gives: Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 17:23:38 testnode dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs the same happens on singularity containers based on debian bullseye or alpine linux 3.9.2 many thanks! nzasch Singularity test.sif:~> doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve pop3 submission" ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd }
Hi, thank you for your response. seems that singularity does not limit capabilities in containers running as root. the capabilities are the same inside and outside of the container. the only difference is that inside the container the securebit SECURE_NO_SETUID_FIXUP is set and locked if this is the reason, perhaps I should find a way to change this securebit setting in singularity thanks nzasch On 02/01/20 13:11, Marc Roos wrote:> > Have you tried setting linux capabilities, like > NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the > permissions of paths? I had to relocate the run dir with things like > these > > && mkdir /var/dovecot \ > && mkdir /var/lib/dovecot \ > && (umask 027 ; mkdir /var/dovecot/login) \ > && (umask 022 ; mkdir /var/dovecot/empty) \ > && (umask 027 ; mkdir /var/dovecot/token-login) > > > > > > -----Original Message----- > From: cesco [mailto:cesco at esiliati.org] > Sent: 30 December 2019 18:32 > To: dovecot at dovecot.org > Subject: dovecot cannot drop privileges inside singularity container > > Hi all > > I'm facing an issue while running dovecot inside a singularity > (https://sylabs.io/singularity/) container > > dovecot version is 2.3.4.1 (configuration below) running on debian > buster, inside a container made with singularity version 3.4.2 > > unfortunately, when I try to start dovecot, it gives: > Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode > dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, > lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 > testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 > 17:23:38 testnode dovecot: master: Error: service(anvil): command > startup failed, throttling for 2 secs > > the same happens on singularity containers based on debian bullseye or > alpine linux 3.9.2 > > many thanks! > nzasch > > Singularity test.sif:~> doveconf -n > # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version > 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: > testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u > mail_privileged_group = mail managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > driver = pam > } > plugin { > sieve = file:~/sieve;active=~/.dovecot.sieve > } > protocols = " imap lmtp sieve pop3 submission" > ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = > /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, > use -P to show it userdb { > driver = passwd > } > >