Articles in this section

See more

Unable to start Dovecot:Failed at step NAMESPACE spawning /usr/sbin/dovecot: Permission denied

Avatar
Alexander Tsmokalyuk
Updated
Follow
Plesk for Linux kb: technical ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • Dovecot fails to start with the following error in /var/log/syslog file:

    CONFIG_TEXT: Sep 9 04:06:09 vps1 systemd[6778]: Failed at step NAMESPACE spawning /usr/sbin/dovecot: Permission denied

  • Server is running inside LXC container

Cause

AppArmor policies on LXC host server side.

Resolution

Adjust AppArmor policies on LXC host server side: How to enable bind mount inside lxc container

OR

  1. Connect to the server via SSH.

  2. For the service unit set PrivateTmp to false:

    • For Debian 8 and higher:

      # cat /lib/systemd/system/dovecot.service
      ...
      [Service]
      PrivateTmp=false

  3. Reload systemd manager configuration:

    # systemctl daemon-reload

  4. Start Dovecot:

    # systemctl start dovecot.service

Comments

2 comments

Sort by Date Votes
  • Avatar
    Jinn Ko (Edited )

    This post got me on the right path.  For context, this is a debian 10 buster guest running in an LXC container on a debian buster host with dovecot 2.3.10.

    Updating the service unit to avoid PrivateTmp wasn't enough.  After exploring the options it seems there's no longer a way to make this work from purely within the container.

    To make it work I removed all edits in the container and moved to modifying the AppArmor policies as follows:

    1. Create a new AppArmor policy at `/etc/apparmor.d/lxc/lxc-dovecot` and populate it with the following:

      # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
      # will source all profiles under /etc/apparmor.d/lxc
      profile lxc-container-dovecot flags=(attach_disconnected,mediate_deleted) {
        #include <abstractions/lxc/container-base>
        #include <abstractions/lxc/start-container>
        deny mount fstype=devpts,
        mount fstype=cgroup -> /sys/fs/cgroup/**,
        mount fstype=cgroup2 -> /sys/fs/cgroup/**,
        mount options=(rw,bind),
        mount options=(rw,rbind),
        mount options=(rw,rshared),
        mount options=(ro,nosuid,noexec,remount,bind,strictatime),
      }

    2. Reload AppArmor with
      $ systemctl restart apparmor.service

    3. Set the container to use the new profile by adding the following line to your LXC container config, typically at `/var/lib/lxc/$container/config`:
      # Add or edit the following line to set the apparmor profile used
      lxc.apparmor.profile = lxc-container-dovecot

    4. Restart your container:
      # stop, sleep, start
      $ lxc-stop -n $container && sleep 1 && lxc-start -d -n $container

     

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hi @Jinn Ko,

    Thank you for the provided information and for sharing your experience.

    Let me note that Debian 10 is yet to be supported by Plesk. The provided advice was not tested.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles