Closed maxnikulin closed 7 months ago
I'm not sure that anything can be done about this while pam_fscrypt
is written in Go, given that the address space is being allocated by the Go runtime when it starts up, and this is working as intended for any Go program (see https://github.com/golang/go/issues/38010). Keep in mind that it's address space, not memory, and thus your first two requests ("It would be nice to postpone allocation of significant amount of memory" and "not allocate almost ~1G of RAM if a user does not have login protector") describe current behavior already. Allocating address space does cause problems when programs use RLIMIT_AS
to limit the address space, but that feature is largely obsolete now that memory cgroups exist and allow actually limiting memory. It might be worth reaching out to the application you're using that uses RLIMIT_AS
and seeing if it's what they really want to be using; most likely they really intended to limit memory, not address space.
Thanks for pointing me to the Go issue. I admit I was not precise using memory and address space interchangeably. It is sour that Go has no knobs like build or link flags to adjust behavior of memory allocator. This case I would trade some performance degradation for running with stricter limits. I see, it is out of control of fscrypt developers and package maintainers in various Linux distributions.
It reminds me some FORTRAN 77 libraries with requirement to explicitly prepare large enough arena for further "dynamic" memory allocations (COMMON/PAWC/...
and HLIMIT
in http://labmaster.mi.infn.it/wwwasdoc.web.cern.ch/wwwasdoc/hbook_html3/node12.html).
Dovecot is a complex enough mail server. It uses a squad of processes to minimize privileges of each one. Likely it will be non-trivial to properly organize the group of daemons into a suitable cgroup subtree. Anyway I posted description of the issue with hope that it might affect later decision of developers: Authentication failure due to address space limit. Wed, 6 Dec 2023 18:06:05.
I find a similar post with another PAM module dovecot: lmtp: Error: fatal error: failed to reserve page summary memory. Thu, Sep 17 2020 12:20:12. That case the solution was to use Rust instead of Go.
At this point I'd prefer Rust over Go too. Of course, the implementation language of fscrypt
was chosen back in 2016 when Rust wasn't as well established, so we're stuck with it unless someone wants to rewrite it which would be a large effort.
At this point I'd prefer Rust over Go too.
PAM module from fscrypt
is among top search results: https://pkg.go.dev/search?q=pam A warning concerning RLIMIT_AS
in the library docs might help other developers to decide if Go should be used for their projects.
Originally I suggested vsz_limit = 1G
for auth-worker
, but it still sometimes causes silent failures making Thunderbird crazy. I hope 2G would be enough (I updated the initial comment to not confuse readers).
It happens even when /etc/pam.d/dovecot
does not load pam_fscrypt.so
(through common-auth
or common-session
). The module is loaded from /etc/pam.d/common-account
. Adding debug
there does not cause any message in both cases of successful or failed authentication. Dovecot just logs
pam_authenticate() failed: Authentication failure (Password mismatch?)
To reproduce force new auth-worker
on every request (or restart dovecot after each request)
service auth-worker {
service_count = 1
}
and
while curl -v imap://test:test@127.0.0.1/ ; do sleep 0.1 ; done
Thunderbird creates multiple connections making failures rather frequent.
Installing
pam_fscrypt
breaks authentication in Dovecot IMAP server. The error message is rather obscure, so I hope, it is possible to improve error handling.Default address space limit (AS) for auth-worker processes is 256M and it is not enough for Go runtime (at least as the PAM module is built in Debian).
fscrypt
plugin is fully initialized and panic handlers are installed.pam_fscript.so
was not allocate almost ~1G of RAM if a user does not have login protector.After installing
libpam-fscrypt
I have realized that I can not access IMAP folders any more despite login protector for this particular user is not configured:Actually it is even worse since such failure happens for invalid users as well
It seems it happens rather early during initialization of Go runtime. I suspected that it might be some issue with C vs Go runtime, but
strace
of a dovecotauth
process confirmed that it is namely memory allocation problemActual limit for this kind of processes:
Playing with this limit I have seen various error messages, e.g.
Just for completeness, a Dovecot configuration snippet that fixes the issue
while by default it is
default_vsz_limit = 256M
.I am realizing that
fscrypt
is hardly compatible with a mail server. I am not going to use login protectors and mail boxes for same users. I find it unfortunate that packages are incompatible out of the box.Debian-12 bookworm, Linux kernel 6.1.55-1, libpam-fscrypt 0.3.3-1+b6. It is not the latest
fscrypt
version, but it should include error handlers for PAM methods. I am unsure if the issue may be caused by build flags specific to Debian.From my point of view, 256M limit should be enough to avoid errors when a PAM module is not supposed to do anything useful. That is why I am requesting documentation update and, if possible, improving of error handling.