I am not sure whether PostgreSQL depends on system call `fsyncdata` to sync data to disk. If yes, then I don't think it's safe to use NFS. When `fsyncdata` returns success, it doesn't mean the data has really been synced to disk. But if PostgreSQL crashes right after it returns success to clients. Eventually it breaks the D (Durability) of ACID.
Benjamin On Mon, Jul 14, 2025 at 7:31 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > "Peter J. Holzer" <hjp-pg...@hjp.at> writes: > > On 2025-07-14 10:07:20 -0400, Tom Lane wrote: > >> That is primarily for safety reasons: if for some reason the > >> filesystem gets dismounted, or hasn't come on-line yet during > >> a reboot, you do not want Postgres to be able to write on the > >> underlying mount-point directory. > > > Be careful: There are two different directorys involved in a mount > > point. The one in the parent filesystem and the one in the mounted file > > system. > > True, and the safety requirement really is only that the parent > filesystem's mount-point directory not be writable by us. > But normal practice is that both directories are root-owned, > or at least owned by highly privileged users. > > (I have a vague idea that there are system-level security hazards, > not specific to Postgres, if mount-point directories are publicly > writable. Don't feel like researching that though.) > > regards, tom lane > > >
