Control: severity -1 normal Control: tags -1 wontfix Hi,
On 15:03 Sun 07 Jul , Michael Becker wrote: > forgot to mention: dovecot runs in an LXC container Apologies for the late response. For posterity, this error is because systemd inside LXC cannot create additional namespaces under Debian's default configuration. Dovecot's systemd unit uses some hardening features which rely on systemd namespace support. There are 3 possible workarounds for this: - Try enabling unprivileged userns cloning in the host kernel, by setting the kernel.unprivileged_userns_clone sysctl to 1. This is probably the least intrusive option, but I'm not 100% it will work. - Override and unset ProtectSystem, PrivateDevices and PrivateTmp in the systemd unit (preferrably using an override in /etc/systemd/dovecot.service.d). Note however that this will disable the last line of defense for a service running as root (but that's also what you get when you run under sysvinit). - Change your LXC container to a privileged one, which kinda beats the purpose. Cheers, Apollon
