|
15 | 15 | - [Certificate](#certificate) |
16 | 16 | - [Ports](#ports) |
17 | 17 | - [Persistence](#persistence) |
| 18 | + - [Backing Storage](#backing-storage) |
| 19 | + - [Generic / All](#generic--all) |
| 20 | + - [NFS](#nfs) |
18 | 21 | - [Upgrading to Version 3.0.0](#upgrading-to-version-3) |
19 | 22 | - [Development](#development) |
20 | 23 | - [Testing](#testing) |
@@ -197,8 +200,36 @@ Therefore the chart requests four PersistentVolumeClaims under the `persistent_v |
197 | 200 |
|
198 | 201 | The PVCs are mounted to `volumeMounts` via the `persistence` key. Each `volumeMount` must specify a volume name and mount path. It is also possbile to set a subpath via the `subPath` key. |
199 | 202 |
|
| 203 | +Certain PV storage types may recommend or require additional external configuration. For more information, see the [Backing Storage](#backing-storage) section. |
| 204 | + |
200 | 205 | Extra volumes and volume mounts may be added using the `extraVolumes` and `extraVolumeMounts` keys. |
201 | 206 |
|
| 207 | +### Backing Storage |
| 208 | + |
| 209 | +This section contains configuration tweaks and quirks related to various PersistentVolume types. This section has been verified as of May 10, 2025. |
| 210 | + |
| 211 | +Common CSI driver-backed storage providers (such as various block storage providers) have not currently been tested while writing this section, but generic recommendations may still apply. |
| 212 | + |
| 213 | +#### Generic / All |
| 214 | + |
| 215 | +The DMS container image used inside this chart currently does not forcibly harden the permissions of the recommended persistent volume mounts. It does change ownership for directories where different services need it. |
| 216 | + |
| 217 | +For any posix-backed storage it is recommended to adjust the Unix octal permissions of `0755` (u:rwx, g:rx, o:rx) if they are not already. Additionally, the primary file ACL for the directory should be set to `u::rwx,g::rx,o:rx` if subPaths are going to be used to map multiple volume mounts to a single PersistentVolume. |
| 218 | + |
| 219 | +The DMS chart is currently not tested for replication, high availability. If subPaths are being used to merge multiple volume mount points to one PersistentVolume, this may potentially break being able to run with high availaility should it be actively tested in the future. |
| 220 | + |
| 221 | +#### NFS |
| 222 | + |
| 223 | +Docker Mailserver (the container) currently assumes that local posix-based storage (e.g. local or hostPath fs drivers) is used, and doesn't fully work with standard writable NFS shares (tested against NFS 4.2). Using fsGroup in the pod's securityContext won't help in this case as the container's root nor any other user seems to get it applied as a supplementary group. |
| 224 | + |
| 225 | +The current alternative is to apply the `no_root_squash` flag to any backing NFS shares, as well as ensure root ownership initially. If you do not know the caveats of [using the no_root_squash flag](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/security_guide/s2-server-nfs-noroot) and/or cannot properly mitigate the potential risk from using it, **consider not using NFS shares as backing storage at this time**. |
| 226 | + |
| 227 | +The reason `no_root_squash` is currently required is due to how DMS does initial fs setup. The container currently utilizes a lot of post-init directory creation and ownership changing done as root. |
| 228 | + |
| 229 | +DMS does not use techniques such as permissive initial directory creation that is locked down after various service users have made their respectively-owned subdirectories. |
| 230 | + |
| 231 | +Quirks from the generic section also apply to NFS-backed PersistentVolumes. |
| 232 | + |
202 | 233 | ## Upgrading to Version 5 |
203 | 234 | Version 5.0 upgrades docker-mailserver to version 15. This version of the chart *does* include backwards incompatible changes |
204 | 235 |
|
|
0 commit comments