lxc: dovecot sysctl: warn but skip when running in shared-kernel container

Replace the CHATMAIL_NOSYSCTL guard with an explicit systemd-detect-virt -c check.
2026-05-10 16:04:37 +00:00 · 2026-03-08 18:13:00 +01:00
parent 04ac2cf700
commit 86e5708709
1 changed files with 19 additions and 18 deletions
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -1,9 +1,8 @@
-import os
 import urllib.request

 from chatmaild.config import Config
 from pyinfra import host
-from pyinfra.facts.server import Arch, Sysctl
+from pyinfra.facts.server import Arch, Command, Sysctl
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, server, systemd

@@ -137,23 +136,25 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):

    # as per https://doc.dovecot.org/2.3/configuration_manual/os/
    # it is recommended to set the following inotify limits
-    if not os.environ.get("CHATMAIL_NOSYSCTL"):
-        for name in ("max_user_instances", "max_user_watches"):
-            key = f"fs.inotify.{name}"
-            if host.get_fact(Sysctl)[key] > 65535:
-                # Skip updating limits if already sufficient
-                # (enables running in incus containers where sysctl readonly)
-                continue
-            # in containers the following can fail see also
-            # https://docs.pyinfra.com/en/3.x/arguments.html#operation-meta-callbacks
-            server.sysctl(
-                name=f"Change {key}",
-                key=key,
-                value=65535,
-                persist=True,
-                _ignore_errors=True,
-                _continue_on_error=True,
+    can_modify = host.get_fact(Command, "systemd-detect-virt -c || true") == "none"
+    for name in ("max_user_instances", "max_user_watches"):
+        key = f"fs.inotify.{name}"
+        value = host.get_fact(Sysctl)[key]
+        if value > 65534:
+            continue
+        if not can_modify:
+            print(
+                "\n!!!! refusing to attempt sysctl setting in shared-kernel containers\n"
+                f"!!!! dovecot: sysctl {key!r}={value}, should be >65535 for production setups\n"
+                "!!!!"
            )
+            continue
+        server.sysctl(
+            name=f"Change {key}",
+            key=key,
+            value=65535,
+            persist=True,
+        )

    timezone_env = files.line(
        name="Set TZ environment variable",