Skip to main content

Dovecot Anvil permanent highload due spin loop

Zachary Karr
  • Updated

Symptoms

A large number of login attempts to Dovecot are spawning the Dovecot Anvil processes, which continue to run, causing a high load on the server's CPU resources.

  1. A login/auth/mail worker connects to anvil.
  2. Worker exits unexpectedly (crash, SIGTERM, reload, timeout, etc.).
  3. The worker fails to close its anvil socket.
  4. Anvil does not detect the disconnect cleanly.
  5. The anvil process accumulates “dangling” sockets.
  6. The epoll list grows with dead entries.
  7. epoll_wait() wakes up constantly — microsecond returns.
  8. CPU climbs to 50–100% forever.
  9. The anvil process appears “hung” or “busy looping.”

 

Cause

The high CPU load is caused by the anvil-auth-penalty socket being polled repeatedly in a spin-lock, likely triggered after a SIGHUP occurs while Dovecot is under active load.  

We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-54224. Follow this article to receive an email notification when a solution is published in the product.

 

Resolution

Restarting Dovecot will temporarily resolve the CPU load:

# /scripts/restartsrv_dovecot

We suggest contacting cPanel Support for further investigation. 

 

INTERNAL:

The following is an untested resolution. Please confirm the following if this is experienced by a user. If it works, flag the article to have this section made public.

If you have Imunify360's Dovecot Bruteforce option enabled, or cPHulkd active, this additional anvil-auth-penalty may not be needed in the standard Dovecot configuration.

To disable this, create a Dovecot template file override:

# cp -v /var/cpanel/templates/dovecot/main{.default,.local}

Note: If you already have a local template file (Imunify360 may have created one), it would be recommended to first back up the one you have.
# cp -v /var/cpanel/templates/dovecot/main.local{,.bak}

Add the following to the end of this file:

CONFIG_TEXT: service anvil {
  unix_listener anvil-auth-penalty {
    mode = 0
  }
}

Rebuild Dovecot:

# /scripts/builddovecotconf

Restart the service to load the new config:

# /scripts/restartsrv_dovecot

Related articles

Comments

0 comments

Article is closed for comments.

%