Hi help-guix,
I am trying to create a database container with persistent data. I am
following the example in the cookbook
(https://guix.gnu.org/cookbook/en/html_node/A-Database-Container.html).
Since containers are ephemeral, I think the data written to the database
will be wiped every time I close the process.
There is of course a --share option that can be passed to `guix system
container`. By this mechanism I have managed to extract the initial data
generated when the database is initialized (by passing
--share=$PWD/pgdata=/pgdata, using nsenter to enter the container
namespace, and cp/mv-ing the /var/lib/postgresql/data to /pgdata).
However, the database server runs as a dedicated user `postgres` with an
automatically generated user ID. When the initial database state is
created, all files owned by the database have the postgres user's UID
and GID. On the host, these files are listed as being owned by
ntpd/polkit which I assume is a collision with the IDs used in the
container. If I copy rather than move the files, then I can ensure they
are owned by root in both. Neither of these is ideal.
In particular, since I don't own the files on the host, the call to
`guix system container` fails the second time I run it. The error is
guix/ui.scm:921:18: In procedure car: Wrong type argument in position 1
(expecting pair): #f
but I assume that really means "you do not own the directory you are
trying to share". I assume I can run the call with sudo but I don't
think this is a good solution.
I think the ideal situation would be that the files on the host are
owned by me, and in the container the files are owned by postgres. One
hack that might work would be to automatically chown the files at
startup. I haven't tried this, and I'm not sure it would work since it
might interfere with postgres being able to start. I think it is
possible in principle for a file to have different UID/GID within a
namespace than outside, using the /etc/subuid file. But I literally just
found out this capacity exists, and even if I am understanding it
correctly, I am not sure how to make it work properly with guix containers.
The only thing I could find online even remotely discussing this was
this article
(https://issues.genenetwork.org/topics/guix/guix-system-containers-and-how-we-use-them)
which does not talk explicitly about the permission issue. The linked
code appears to do a chown but I'm not sure.
I'm posting here in the hopes that someone else has thought about the
problem in more detail.
Best wishes,
Dan
- Can't share data between host and container due to UID m... Daniel Littlewood
-
