dovecot
2.4.1 has AVX support required
Hi, as of auto-updating to latest, my IMAP-Server is in a restart-loop and docker logs doesn't show anything at all.
Is this a known legit bug with 2.4.1, or am I the only one having this problem?
Edit 2025-03-31: The issue for me is the required AVX support, which my server does not have.
When I upgraded to 2.4.0 I had a faulty config and got error messages in the log. But now with 2.4.1. it's not giving anything.
JFYI:
I'm replacing the default config with my own, rather then using the *.d folders to provide additional settings.
Can you try
docker run --rm -it <mounts and such > dovecot/dovecot:2.4.1-dev bash
and start dovecot with dovecot -F
Mh, I started it with the same config and TLS Key/Cert locally without a problem. So, maybe it's something in my mailboxes, that throws it off? 🤔
That seems at leaset to be the only obvious difference between my laptop and the prod environment I left out.
Could it be, that my specific version of Docker or Linux Kernel is doing something here?
Because with these starting options, there's not anything mounted to the container from the outside, and yet it core dumps on the prod-server, but doesn't on my laptop.
Prod-Server:
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
6.8.0-52-generic x86_64
Docker version 26.1.3, build 26.1.3-0ubuntu1~22.04.1
Local machine:
NAME="Fedora Linux"
VERSION="41 (Workstation Edition)"
RELEASE_TYPE=stable
6.13.8-200.fc41.x86_64 x86_64
Docker version 27.3.1, build 2.fc41
Hm, yes it seems so 🧐
/proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 60
model name : Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
stepping : 3
microcode : 0x28
cpu MHz : 2998.260
cache size : 16384 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer xsave rdrand hypervisor lahf_lm abm cpuid_fault pti ssbd ibrs ibpb stibp tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust erms invpcid xsaveopt arat vnmi umip md_clear arch_capabilities
vmx flags : vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest shadow_vmcs pml
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs srbds mmio_unknown bhi
bogomips : 5996.52
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 60
model name : Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
stepping : 3
microcode : 0x28
cpu MHz : 2998.260
cache size : 16384 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer xsave rdrand hypervisor lahf_lm abm cpuid_fault pti ssbd ibrs ibpb stibp tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust erms invpcid xsaveopt arat vnmi umip md_clear arch_capabilities
vmx flags : vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest shadow_vmcs pml
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs srbds mmio_unknown bhi
bogomips : 5996.52
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management:
The server is a two core Pentium on an ATX Board. But quite old now, yes. The CPU from 2013
Ok. Lets see, I would recommend, for now, to build it locally with build.sh and removing -mavx.
Alright, did that and indeed, without the AVX cflag dovecot 2.4.1 works on my server.
I was able to create a docker image with AVX but I still get errors, I just get these errors all the time and I cannot append any messages.
dovecot-1 | Apr 08 01:07:45 imap(markus)<26><Ym0H+TkymtOsEwAB>: Info: Disconnected: Too many invalid IMAP commands. in=163 out=1944 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
% openssl s_client -connect localhost:31993 -crlf -quiet
Connecting to ::1
Can't use SSL_get_servername
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E6
verify return:1
depth=0 CN=*****************************
verify return:1
* OK [CAPABILITY IMAP4rev1 LOGIN-REFERRALS ID ENABLE IDLE SASL-IR LITERAL+ AUTH=PLAIN] Dovecot ready.
A01 LOGIN markus *****************
A01 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE REPLACE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW SPECIAL-USE STATUS=SIZE SAVEDATE COMPRESS=DEFLATE INPROGRESS NOTIFY LITERAL+ UTF8=ACCEPT FILTER=SIEVE] Logged in
A02 LIST "" "*"
* LIST (\HasNoChildren) "/" INBOX
A02 OK List completed (0.003 + 0.000 + 0.002 secs).
A03 SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1744076145] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
A03 OK [READ-WRITE] Select completed (0.031 + 0.000 + 0.030 secs).
A04 APPEND "INBOX" {25}
+ OK
Subject: Test
Body text
A04 BAD Error in IMAP command APPEND: Invalid arguments (0.019 + 8.275 + 8.292 secs).
I wonder if you counted newlines etc into the literal length?
I get the same error when trying to move any email to the account using Thunderbird.
The problem with thunderbird is due to a bug in mail utf8 that we discovered, should work if you set mail_utf8_extensions=no in your config.
The problem with thunderbird is due to a bug in mail utf8 that we discovered, should work if you set
mail_utf8_extensions=noin your config.
Cool, thanks I'll try that.
@cmouse will the AVX requirement be removed from the published docker images again in the future, or do I have to opt for self-building as a permanent solution? :thinking:
We haven't decided yet. I would like to keep it as AVX is pretty common these days, but then again if more people complain, we might have to roll that back.
We haven't decided yet. I would like to keep it as AVX is pretty common these days, but then again if more people complain, we might have to roll that back.
Did you see my PR? I modified the build script to detect if AVX is missing.
It was quite easy to just run it to get a homemade image without AVX. Took like 10 minutes on my weak NAS.
For me personally I can live without AVX and just build my own images when updating.
We haven't decided yet. I would like to keep it as AVX is pretty common these days, but then again if more people complain, we might have to roll that back.
Did you see my PR? I modified the build script to detect if AVX is missing.
It was quite easy to just run it to get a homemade image without AVX. Took like 10 minutes on my weak NAS.
For me personally I can live without AVX and just build my own images when updating.
I did see your commit, I'll have to think about it as well.
@hartmark yes I saw it, but that basically triggered my question, if that is the plan. Sure, I could do this. But I'd rather not start running builds on my own, but keep using the already compiled image.
And that's where the question has to be weighed, what are the benefits of requiring this instruction, versus the lost bavkwards compatibility.
I can't really make a technical assessment for this. Is there an actual reasonably measureable benefit for dovecot from requiring AVX?
AVX is good for accelerating SSL/TSL functions so for a high-load server it might yield better performance.
Besides that I don't know what other parts that would get better performance with AVX-functions. I guess in the future we will probably have AVX required for the dependent libraries even if there is no direct usage of AVX in the code base.
You are thinking aesni and friends, which openssl uses by itself when present. avx improves all sorts of string handling.
I can confirm this problem and I think it is a show-stopper for a docker-image. And it is different to the problem I mention under #31
I am able to "stage" this problem with virtual box on a i9 core, as far as I understand the compile flags for the image are to advanced, since the usage of a docker-image is not going in production with thousands of users but running a small system to solve a medium sized problem.
Adding my thoughts about requiring avx as of dovecot 2.4.1's docker image.
I appreciate that AVX accelerates code paths, but given it's a compile-time optimization rather than a hard requirement in the underlying code, it seems a subjective packaging change, especially when introduced in a patch release (2.4.1 vs 2.4.0). I personally ran into this issue when upgrading, and it was quite puzzling.
I am not sure if any new AMD/Intel CPUs are being produced without AVX support, but there are lower end Intel CPUs around 4 years old which do lack it. I'd suggest that these CPUs are commonly used by self-hosting enthusiasts, such as myself. And, as more users upgrade, this issue will likely see more traffic. :-)
While I request a reversal on this optimization, I understand if the maintainers decide to retain it. If retaining the requirement for AVX, I do request an update to documentation (docker specific) to clarify the image requires newer CPUs with this extended instruction set.
