Skip to content

Commit 9f05446

Browse files
j-heffronj-heffron
committed
DRAFT: Helm Chart README Storage Section
1 parent e7f8047 commit 9f05446

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

charts/docker-mailserver/README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -199,6 +199,22 @@ The PVCs are mounted to `volumeMounts` via the `persistence` key. Each `volumeMo
199199

200200
Extra volumes and volume mounts may be added using the `extraVolumes` and `extraVolumeMounts` keys.
201201

202+
### Backing Storage
203+
204+
This section contains documented configuration tweaks and quirks related to certain volume types. When setting up PersisentVolumes for use with this helm chart, please refer to this section. This section has been verified as of May 7, 2025. CSI driver-backed storage providers (such as various block storage providers) have not currently been tested while writing this section.
205+
206+
#### Generic / All
207+
208+
The DMS container image used inside this chart currently does not forcibly harden the permissions of the recommended persistent volume mounts. It does change ownership for directories where different services need it. For any posix-backed storage it is recommended to adjust the Unix octal permissions of 0755 (u:rwx, g:rx, o:rx) if they are not already. Additionally, the primary file ACL for the directory should be set to u::rwx,g::rx,o:rx if subPaths are going to be used to map multiple volume mounts to a single PersistentVolume.
209+
210+
The DMS chart is currently not tested for replication, high availability. If subPaths are being used to merge multiple volume mount points to one PersistentVolume, this may potentially break being able to run with high availaility should it be actively tested in the future.
211+
212+
#### NFS
213+
214+
Docker Mailserver (the container) currently assumes that local posix-based storage (e.g. local or hostPath fs drivers) is used, and doesn't fully work with standard writable NFS shares (tested against NFS 4.2). Using fsGroup in the pod's securityContext won't help in this case as the container's root nor any other user seems to get it applied as a supplementary group. As such, the `no_root_squash` flag and the volume owner being root is currently required for volumes backed by NFS shares. If you do not know the caveats of using the `no_root_squash` flag and/or cannot properly mitigate the potential risk from using it, **consider not using NFS shares as backing storage at this time**. Quirks from the generic section also apply to NFS-backed PersistentVolumes.
215+
216+
The reason `no_root_squash` is currently required is due to how DMS (the container) does initial fs setup. The container currently utilizes a lot of post-init directory creation and ownership changing done as root. It does not use techniques such as permissive initial directory creation that is locked down after various service users have made their respectively-owned directories.
217+
202218
## Upgrading to Version 5
203219
Version 5.0 upgrades docker-mailserver to version 15. This version of the chart *does* include backwards incompatible changes
204220

0 commit comments

Comments
 (0)