First Last Prev Next    This bug is not in your last search results.
Bug 38990 - 3 Minute timeout in dovecot postinst prolongs installation
3 Minute timeout in dovecot postinst prolongs installation
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Daniel Tröder
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-20 15:55 CEST by Erik Damrose
Modified: 2015-09-01 13:42 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2015-07-20 15:55:57 CEST 
univention-mail-dovecot.postinst waits up to 3 minutes for the generation of ssl certificates. In a cloud setup, the postinst actually waited the whole period.
Comment 1 Daniel Tröder univentionstaff 2015-07-20 16:14:43 CEST 
The postinst could be modified to start Dovecot with only 1024 bit dh_parameters_length (Debian default) and change it later to 2048. The generation should then run in the background and be switched to without interruption of the service.

Will need some testing, because the listener starts logging in (possibly in very fast succession) right after being installed, to upload Sieve-scripts for all existing users. The timeout was created to make sure it is not interrupted in this.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-07-21 08:50:28 CEST 
I would suggest to install "haveged" in any virtualized instance (by default) to create enough entropy.
Comment 3 Daniel Tröder univentionstaff 2015-07-21 10:40:00 CEST 
I tested with "haveged -w 2048 -v 3 -r 0" and it did help a lot! I also vote for the installation of havegend (even as default for all UCS).

But if before the generation of Dovecots 2048 DH, a generation of 1024 DH and another 2048 ran, it did take >3 min again. This scenario is very probable during system installation: 1st Apache, 2nd Dovecot 1024 by Debian, then 2048 bit by Dovecots UCS-integration setting. Probably others (OpenSSL, SSH) ran before that too. So I think the postinst should be adapted anyway.
Comment 4 Erik Damrose univentionstaff 2015-08-11 16:21:19 CEST 
Noticed again in EC2 instance setup
Comment 5 Daniel Tröder univentionstaff 2015-08-11 19:33:03 CEST 
Dovecot is installed by Debian with 1024 bit DH parameters. The postinst script now just waits until that has finished - should be faily short. The generation of 2048 bit DH parameters is triggered afterwards and runs in the background.

Commit: 62939
YAML: 62940
Comment 6 Felix Botner univentionstaff 2015-09-01 13:42:57 CEST 
OK - 4.0-3

Sep  1 13:17:42 master dovecot: master: Dovecot v2.2.13 starting up for imap, lmtp, sieve, pop3 (core dumps disabled)

Sep  1 13:17:49 master dovecot: master: Warning: SIGHUP received - reloading configuration
Sep  1 13:17:49 master dovecot: ssl-params: Warning: Regenerating /var/lib/dovecot/ssl-parameters.dat for ssl_dh_parameters_length=2048
Sep  1 13:17:49 master dovecot: ssl-params: Generating SSL parameters
Sep  1 13:17:57 master dovecot: master: Warning: SIGHUP received - reloading configuration
Sep  1 13:17:57 master dovecot: ssl-params: Warning: Regenerating /var/lib/dovecot/ssl-parameters.dat for ssl_dh_parameters_length=2048
Sep  1 13:18:57 master dovecot: master: Warning: Processes aren't dying after reload, sending SIGTERM.
Sep  1 13:18:59 master dovecot: ssl-params: SSL parameters regeneration completed

During installation a 1024 dh parameter file is created and the creation of a 2048 dh parameter is started (but the postinst does not wait for this).


OK - 4.1-0

But, univention-mail-dovecot is already announced with errata http://errata.univention.de/ucs/4.0/291.html.

so i move the yaml to published and close this bug.
First Last Prev Next    This bug is not in your last search results.