Unable to start Dovecot:Failed at step NAMESPACE spawning /usr/sbin/dovecot: Permission denied




  • Avatar
    Jinn Ko (Edited )

    This post got me on the right path.  For context, this is a debian 10 buster guest running in an LXC container on a debian buster host with dovecot 2.3.10.

    Updating the service unit to avoid PrivateTmp wasn't enough.  After exploring the options it seems there's no longer a way to make this work from purely within the container.

    To make it work I removed all edits in the container and moved to modifying the AppArmor policies as follows:

    1. Create a new AppArmor policy at `/etc/apparmor.d/lxc/lxc-dovecot` and populate it with the following:

      # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
      # will source all profiles under /etc/apparmor.d/lxc
      profile lxc-container-dovecot flags=(attach_disconnected,mediate_deleted) {
        #include <abstractions/lxc/container-base>
        #include <abstractions/lxc/start-container>
        deny mount fstype=devpts,
        mount fstype=cgroup -> /sys/fs/cgroup/**,
        mount fstype=cgroup2 -> /sys/fs/cgroup/**,
        mount options=(rw,bind),
        mount options=(rw,rbind),
        mount options=(rw,rshared),
        mount options=(ro,nosuid,noexec,remount,bind,strictatime),

    2. Reload AppArmor with
      $ systemctl restart apparmor.service

    3. Set the container to use the new profile by adding the following line to your LXC container config, typically at `/var/lib/lxc/$container/config`:
      # Add or edit the following line to set the apparmor profile used
      lxc.apparmor.profile = lxc-container-dovecot

    4. Restart your container:
      # stop, sleep, start
      $ lxc-stop -n $container && sleep 1 && lxc-start -d -n $container


    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hi @Jinn Ko,

    Thank you for the provided information and for sharing your experience.

    Let me note that Debian 10 is yet to be supported by Plesk. The provided advice was not tested.

    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request