Kopano and systemd (feedback ) security limits not applied.



  • Hai,

    I noticed the following in kopano-dagent.

    WARNING: setrlimit(RLIMIT_NOFILE, 8192) failed, you will only be able to connect up to 4096 sockets. Either start the process as root, or increase user limits for open file descriptors (Operation not permitted)

    Fix is, for every systemd OS, Is increase limits is in the systemd unit file.
    Its something for the kopano documentation.

    Example of my running config:

    systemctl edit kopano-dagent

    /etc/systemd/system/kopano-dagent.service.d/override.conf
    [Unit]
    After=kopano-server.service
    Wants=kopano-server.service

    [Service]
    LimitNOFILE=8192:16384

    Note, ive change the “After and Wants” because if have everything running on one server.
    Thats optional, if you want to streamline the service startup.

    add also this one for the kopano-server
    /etc/systemd/system/kopano-server.service.d/override.conf
    [Unit]
    After=network-online.target mysql.service mariadb.service
    Wants=network-online.target

    Greetz,

    Louis



  • I cannot reproduce this on D9. dagent normally runs as root (8.5.x/8.6.x) and can raise the limit on its own. If you still get EPERM on setrlimit even when root, there is some other mechanism in your system that prevents that.



  • Do you use the kopano with the run_as? like
    run_as_user = kopano
    run_as_group = kopano
    and since only root can change the limits…

    Or have you changed one of these?
    /etc/systemd/system.conf and /etc/systemd/user.conf



  • Naturally with run_as (that is the default).



  • small update here.
    the debian bug report, it should be fixed, but i still noticed the messages.
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865449

    The workaround is :
    editor /etc/systemd/system.conf and/or editor /etc/systemd/system.conf
    and change the Default.


Log in to reply