Barman has been packaged to run as barman
system user. However, it can run as a different user. In this article we describe how to run Barman on a dedicated server using a different user, namely postgres
.
The recommended method to install Barman is through the provided and certified Deb/RPM packages available from the public 2ndQuadrant repository.
The way 2ndQuadrant has designed those packages is to install a system user called barman
with /var/lib/barman
as home directory.
The package also manages the maintenance cron task (in /etc/cron.d/barman
) and logrotate configuration (in /etc/logrotate.d/barman
), all designed to run as barman
user.
Having this in mind, setting up your dedicated Barman server to run as a different user is a straightforward process. In this article we describe the process from scratch, immediately after having installed the barman
package on the system. We are going to use the postgres
user, but you can choose a different one.
IMPORTANT: Do not install Barman on the same server where PostgreSQL is installed. For more information on the reasons behind this choice, please read the related articles listed at the end of this document.
If the postgres
user already exists, you can skip this step. Please make sure the user is configured as a system user.
To create the postgres
system user and group, run:
adduser -r -U postgres
This will set /home/postgres
as home directory. If you want to change it to /var/lib/pgsql
, please proceed as follows:
adduser -r -d /var/lib/pgsql postgres
In this example, we set /srv/barman
as the main directory for Barman (this could be also a separate volume):
mkdir /srv/barman
chmod 660 /srv/barman
chown postgres:postgres /srv/barman
The package configures Barman in the standard /etc
directory. We need to modify those configuration files to use postgres
.
As first step, please set the user postgres
(instead of barman
) in the cron file:
vi /etc/cron.d/barman
Then, change the user to postgres
(instead of barman
) for logrotate:
vi /etc/logrotate.d/barman
Finally, properly set the permission for the log directory:
chown -R postgres:postgres /var/log/barman/
It is now time to edit the main Barman configuration file (/etc/barman.conf
) and set:
barman_user = postgres
barman_home = /srv/barman
If you plan to use WAL archiving from PostgreSQL to Barman via archive_command
, remember you need to properly set the destination user for SSH connections. If you use barman-wal-archive
as recommended, please remember to use the -U
option. For more details, type barman-wal-archive --help
.
Obviously, this is not the only way you can configure Barman to run with a different user. Barman was actually designed at the start to run with different users, each having their own configuration files (in ~/.barman.conf
). However, the proposed approach is the simplest one and, most importantly, can be easily adopted in a configuration management tool.
Obviously, passwords to connect to the PostgreSQL server will reside in the ~postgres/.pgpass
file.
As a final note, do not forget to add the periodic cron job to start base backups. Normally, a weekly backup on Saturday at 4AM for all PostgreSQL servers configured in the Barman instance, in sequence, is fine. For example, you can add this job to the postgres
user's cron with crontab -e
:
0 4 * * 6 [ -x /usr/bin/barman ] && /usr/bin/barman -q backup all