NFS mount for data directory of postgresql 9.5 container

[navidshaikh]

Trying to share NFS mount from host machine, as data directory to postgresql 9.5 container

run command:

docker run -d  --name postgres -v /srv/db2/cccp/:/var/lib/pgsql/data -p 5432:5432 -e "POSTGRESQL_USER=cccp" -e "POSTGRESQL_PASSWORD=cccp" -e "POSTGRESQL_DATABASE=cccp" registry.centos.org/sclo/postgresql-95-centos7

here /srv/db2/cccp/ is NFS share mounted on the host system.

NFS server exports a directory with config
/nfsshare *(rw,sync,no_subtree_check,all_squash,anonuid=0,anongid=0)

the docs mentions using setfacl command to work around with postgresql container dir ownership behavior, however while running setfacl command as mentioned, it prompts Operation Not Permitted.

[root@client ~]# setfacl -m u:26:-wx /srv/db2/cccp/
setfacl: /srv/db2/cccp/: Operation not supported

Note: Changing NFS server config to have uid=26 works for postgresql container, however, how does one manage UID/GID consistency all over the place then?

[praiskup]

[root@client ~]# setfacl -m u:26:-wx /srv/db2/cccp/

The benefit of setfacl is primarily that you don't have to be root to allow containerized app to write there. The drawback is that it doesn't work for everybody, hm. Do you have spelling ideas for the documentation?

Note: Changing NFS server config to have uid=26 works for postgresql container, however, how does one manage UID/GID consistency all over the place then?

All over the place == all containers? You can make the directory world-writeable, or group '0' writeable (I think by default the processes are run under group 0). I'm not convinced this is a good recommendable default, though.

[navidshaikh]

Do you have spelling ideas for the documentation?

as in if documentation can be updated with a better explanation?

[navidshaikh]

I'm not convinced this is a good recommendable default, though.

@praiskup
Yes, any idea what could be a better solution if one wants to have NFS share mounted as data directory for postgresql?

[praiskup]

Checked again -- atm. PostgreSQL processes are run as 'postgres:postgres', you you somehow have to set the permissions so the process can write to data directory. Other option is to change the user by docker run -u and set the directory ownership accordignly. Btw., soon we could (in #208) add the 'postgres' user into 'root' group...

[navidshaikh]

soon we could (in #208) add the 'postgres' user into 'root' group...

@praiskup : I have been keeping an eye on PR #208. IIUC the outcome should be seamlessly attaching host machine volume to /var/lib/pgsql/data directory inside the container. However, it seems to fail with permission issues again. Am I missing something here?

# docker images registry.centos.org/centos/postgresql-95-centos7
REPOSITORY                                         TAG                 IMAGE ID            CREATED             SIZE
registry.centos.org/centos/postgresql-95-centos7   latest              0785e3c7337e        About an hour ago   335 MB

# mkdir /tmp/foo

# docker run -d --name=vol-test -e POSTGRESQL_USER=cccp -e POSTGRESQL_PASSWORD=cccp -e POSTGRESQL_DATABASE=cccp -v /tmp/foo:/var/lib/pgsql/data:Z registry.centos.org/centos/postgresql-95-centos7

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

# docker logs -f vol-test
mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied

# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core) 

# rpm -q docker
docker-1.12.6-61.git85d7426.el7.centos.x86_64

Results are same with and without providing :Z options to volume option in docker run command.

[praiskup]

@navidshaikh have you added proper group ownership to /tmp/foo? (sudo chgrp root /tmp/foo)

[navidshaikh]

have you added proper group ownership to /tmp/foo? (sudo chgrp root /tmp/foo)

@praiskup

# ls -la /tmp/foo/
total 0
drwxr-xr-x.  2 root root   6 Jan 10 15:08 .
drwxrwxrwt. 12 root root 250 Jan 11 03:25 ..