In similar vein to "[cgroup support]" from Jan 30, 2011 I'd like to add cgroupv2 support to Dovecot. With v2, moving processes is more restrictive in that groups can only have a single-writer and the process of the common ancestor cgroup between the losing and gaining group must have write privileges.

So far as I understand:

    - Every hook (mail_user_created, mail_storage_created, etc) occurs after chroot + setuid - Wrapping imap or pop3 executables doesn't expose the userdb data in environment, this is done in the actual imap and pop3 processes respectively - Adding a script-login does export the correct userdb details but the pid isn't known. Since everything spawns under dovecot master, the only practical solution is to enumerate every imap or pop3 process owned by the gid to reassign to the new cgroup.

This limits implementation to a plugin that solicits the pid to a separate daemon listening on a socket launched by Dovecot in mail_user_created hook. Ideally I would like for cgroup binding to occur before imap/pop3 binaries launch for cgroupv2 pid rejection to occur, although this seems impossible to achieve?

• Matt

In similar vein to "[cgroup support]" from Jan 30, 2011 I'd like to add cgroupv2 support to Dovecot. With v2, moving processes is more restrictive in that groups can only have a single-writer and the process of the common ancestor cgroup between the losing and gaining group must have write privileges. So far as I understand: - Every hook (mail_user_created, mail_storage_created, etc) occurs after chroot + setuid - Wrapping imap or pop3 executables doesn't expose the userdb data in environment, this is done in the actual imap and pop3 processes respectively - Adding a script-login does export the correct userdb details but the pid isn't known. Since everything spawns under dovecot master, the only practical solution is to enumerate every imap or pop3 process owned by the gid to reassign to the new cgroup. This limits implementation to a plugin that solicits the pid to a separate daemon listening on a socket launched by Dovecot in mail_user_created hook. Ideally I would like for cgroup binding to occur before imap/pop3 binaries launch for cgroupv2 pid rejection to occur, although this seems impossible to achieve?

• Matt