Re: Upgrade 2.2.27 to 2.3.9.2: master(imap): net_connect_unix(imap) failed: Resource temporarily unavailable

Wed, 15 Jan 2020 00:55:37 -0800

Embarrassingly, the issue does appear to have been /proc/sys/net/core/somaxconn setting all along. It was increased from 128, to 512, to 1024 with full restarts of Dovecot inbetween. However, this was apparently not enough to handle our login bursts.
The latest increase, from 1024 to 65536, only had a `doveadm reload` issued, which seemingly does not cause the socket to rebind and therefore still used the old settings. 


After fully restarting dovecot, the issue -appears- to be gone. At least 
we survived through the morning spikes today without errors.


Apologies for the list spam.

On 14/01/2020 13:38, Eirik Rye wrote:

We are unfortunately still seeing a lot of these errors once the machine 
reaches a high number of concurrent users/logins (just below 20k 
simultaneous IMAP connections on a powerful 24 core machine with 128GB 
RAM):



2020-01-14T09:18:58.661349+01:00 dovecot: imap-login: Warning: 
net_connect_unix(imap) succeeded only after retrying - took 140330 us
2020-01-14T09:18:58.854692+01:00 dovecot: imap-login: Error: 
master(imap): net_connect_unix(imap) failed: Resource temporarily 
unavailable - http://wiki2.dovecot.org/SocketUnavailable 
(client-pid=107932, client-id=780262, rip=x, created 500 msecs ago, 
received 0/4 bytes)
2020-01-14T09:18:58.888228+01:00 dovecot: imap-login: Warning: 
net_connect_unix(imap) succeeded only after retrying - took 440762 us



The machine is at insignificant load numbers, and the dovecot process is 
somewhere near 25% CPU usage when the problem occurs. It is not close to 
saturating its core from what I can tell.



To make sure the issues are not task/fd-limit related, I have set this 
in /etc/systemd/system/dovecot.service.d/service.conf:


[Service]
LimitNOFILE=infinity
TasksMax=infinity

~# egrep "processes|files" /proc/`pidof dovecot`/limits
Max processes             514051               514051
Max open files            1048576              1048576
~# cat /proc/sys/net/core/somaxconn
65536
~# cat /proc/sys/kernel/pid_max
278528


Dovecot is configured with NFS backed storage, and locally stored 
passwdfile userdb/passdb are used for authentication.



Backends are (now) behind directors. The directors/proxies are having no 
issues dealing with the traffic whatsoever.


At the time of failure, the process list looks like this:

~# ps -f --ppid `pidof dovecot` | egrep -v "dovecot/(imap|pop3) "
UID         PID   PPID  C STIME TTY          TIME CMD
274264    44753 138506  0 12:43 ?        00:00:00 [imap]
308665   104852 138506  0 13:01 ?        00:00:00 [imap]
308665   104853 138506  0 13:01 ?        00:00:00 [imap]

dovenull 138508 138506  1 10:31 ?        00:03:00 dovecot/pop3-login [6 
pre-login + 36 TLS proxies]

dovenull 138509 138506  0 10:31 ?        00:00:07 dovecot/imap-login

dovecot  138510 138506  0 10:31 ?        00:01:10 dovecot/anvil [20 
connections]

root     138511 138506  1 10:31 ?        00:02:14 dovecot/log

dovenull 138512 138506  1 10:31 ?        00:01:48 dovecot/pop3-login [1 
pre-login + 15 TLS proxies]
dovenull 138513 138506  0 10:31 ?        00:00:08 dovecot/imap-login 
[redacted TLS proxy]
dovenull 138514 138506  0 10:31 ?        00:00:07 dovecot/imap-login [0 
pre-login + 3 TLS proxies]
dovenull 138515 138506  0 10:31 ?        00:00:10 dovecot/imap-login 
[redacted TLS proxy]
dovenull 138516 138506  0 10:31 ?        00:01:14 dovecot/imap-login [27 
pre-login + 12 TLS proxies]
dovenull 138517 138506  0 10:31 ?        00:00:31 dovecot/imap-login [2 
pre-login + 2 TLS proxies]
dovenull 138518 138506  0 10:31 ?        00:01:28 dovecot/imap-login [56 
pre-login + 20 TLS proxies]
dovenull 138519 138506  0 10:31 ?        00:00:09 dovecot/imap-login [0 
pre-login + 4 TLS proxies]
dovenull 138520 138506  0 10:31 ?        00:00:06 dovecot/imap-login 
[redacted TLS proxy]
dovenull 138521 138506  0 10:31 ?        00:00:11 dovecot/imap-login [0 
pre-login + 3 TLS proxies]
dovenull 138522 138506  0 10:31 ?        00:00:16 dovecot/imap-login [2 
pre-login + 2 TLS proxies]
dovenull 138523 138506  0 10:31 ?        00:00:13 dovecot/imap-login [1 
pre-login + 2 TLS proxies]
dovenull 138524 138506  0 10:31 ?        00:00:24 dovecot/imap-login [1 
pre-login + 3 TLS proxies]
dovenull 138525 138506  0 10:31 ?        00:01:13 dovecot/imap-login [36 
pre-login + 23 TLS proxies]
dovenull 138526 138506  0 10:31 ?        00:00:41 dovecot/imap-login [10 
pre-login + 12 TLS proxies]
dovenull 138527 138506  0 10:31 ?        00:00:20 dovecot/imap-login [1 
pre-login + 7 TLS proxies]

root     138528 138506  2 10:31 ?        00:04:45 dovecot/config

dovecot  138529 138506  1 10:31 ?        00:02:22 dovecot/stats [19389 
connections]
dovecot  138530 138506  3 10:31 ?        00:05:53 dovecot/auth [137 
wait, 0 passdb, 0 userdb]
root     148675 138506  0 13:13 ?        00:00:00 dovecot/doveadm-server 
[redacted]


Other stats:

~# ps -f --ppid `pidof dovecot` | grep "dovecot/imap " | wc -l
19328
~# doveadm process status | grep "^imap " | wc -l
19307
~# ss -ntp "( sport = :143 or sport = :993 )" | grep "\"imap\"" | wc -l
19141

~# ss -ntp "( sport = :143 or sport = :993 )" | grep "\"imap-login\"" | 
wc -l

333
~# ss -ntp "( sport = :143 or sport = :993 )" | wc -l
19530

~# doveconf -n

# 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf
# OS: Linux 4.9.0-9-amd64 x86_64 Debian 9.11
# Hostname: [redacted]
default_vsz_limit = 768 M
disable_plaintext_auth = no
imap_id_log = *
log_timestamp = "%F %T %z "
login_trusted_networks = [redacted]
mail_fsync = always
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mmap_disable = yes
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     auto = no
     special_use = \Sent
   }
   mailbox Spam {
     auto = create
     special_use = \Junk
   }
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
   prefix =
   separator = /
}
passdb {
   args = username_format=%Lu /etc/dovecot/aliases
   default_fields = noauthenticate
   driver = passwd-file
}
passdb {
   args = /etc/dovecot/passwd
   driver = passwd-file
}
protocols = imap pop3
service doveadm {
   inet_listener {
     port = 24245
   }
   inet_listener http {
     port = 8080
   }
}
service imap-login {
   client_limit = 4096
   inet_listener imap {
     port = 143
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
   process_limit = 16
   process_min_avail = 16
   service_count = 0
   vsz_limit = 768 M
}
service imap {
   client_limit = 1
   process_limit = 65536
}
service pop3-login {
   client_limit = 4096
   inet_listener pop3 {
     port = 110
   }
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
   process_limit = 8
   process_min_avail = 2
   service_count = 0
}
service pop3 {
   process_limit = 16384
}
service stats {
   client_limit = 65536
}
ssl_cert = <[redacted]
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
   args = /etc/dovecot/passwd
   driver = passwd-file
}
verbose_proctitle = yes
protocol imap {
   mail_max_userip_connections = 20
   rawlog_dir = [redacted]
}


Are there any other tunables either in Dovecot or in the kernel that may 
relate to this issue that we may have missed?





--
Eirik























					Reply via email to