Skip to content
Inviting nominations for the Champions of Scale - Nominate a leader building internet-scale data infastructure today! Nominate someone
Database ( latest 8.1.0 )
/Manage/Database/Non-root user

Configure Aerospike to run as non-root

This page describes how to configure Aerospike to run as a non-root user. On an Aerospike system running with the default root privileges, a non-root user on the same system cannot access the logs collected by collectlogs.

Configure an Aerospike node

Use the following steps to configure a new installation of Aerospike to run as a non-root user.

  1. If necessary, install Aerospike as described in the install documentation.

  2. If upgrading an existing installation:

    1. Stop the Aerospike asd process. See Aerospike daemon management.

    2. Check the ownership of the shared memory segments. Segments with the prefix 0xae are Aerospike primary index, segments with the prefix 0xa2 are Aerospike secondary index, and segments with the prefix 0xad store data for an in-memory namespace.

      Terminal window
      ipcs -m
      

      ------ Shared Memory Segments --------
      key        shmid      owner      perms      bytes      nattch     status
      0xae001100 0          root       666        1073741824 1
      0xae002100 1          root       666        1073741824 1
      0xad001000 2          root       666        536870912  1
      0xad001001 3          root       666        536870912  1

    3. Remove the existing shared memory blocks owned by Aerospike (if not storage engine memory), then restart Aerospike. This forces a cold start with shared memory blocks created by the non-root user and group.

      Terminal window
      ipcs | grep -oE "^0xa[2de][0-9a-f]*" | sudo xargs -i ipcrm -M {}

      To avoid a cold restart, use a special script to change ownership of shared memory. For more information, see Fast restart.

  3. Configure User and Group to root in /lib/systemd/system/aerospike.service.

    Terminal window
    [Service]
    User=AEROSPIKE-USER
    Group=AEROSPIKE-GROUP

  4. Ensure that the server is configured to use console logging.

    Terminal window
    logging {
        console {
            context any info
        }
    }

  5. Configure file resources used by namespaces.

    If your namespace data is configured for persistence to a file, AEROSPIKE-USER must have write permissions creation permission for the directory with the specified file. Example:

    Terminal window
    namespace bar {
        ...
        storage-engine device {
            file /opt/aerospike/data/bar.data
            ...
        }
    }

  6. If you are using SSDs as raw devices, you must give ownership of the devices to the AEROSPIKE-USER. To give ownership you can either add AEROSPIKE-USER to the disk group, or add a udev rule to the AEROSPIKE-USER.

    1. Add user to disk group.

      Terminal window
      sudo usermod -a -G nameOfDiskGroup AEROSPIKE-USER

      Or,

    2. Add a udev rule, similar to the following, to the file /etc/udev/rules.d/99-aerospike.rules. This rule sets AEROSPIKE-USER as the owner of the devices /dev/sdb and /dev/sdc.

      Terminal window
      KERNEL=="sd[bc]", OWNER="AEROSPIKE-USER"

      Save this file, then reload and trigger the udev rules.

      Terminal window
      udevadm control --reload-rules
      udevadm trigger

      SSDs used as filesystems, such as a flash index, need the same directory ownership and permissions detailed in Step 2.

  7. Change ownership of additional directories.

    Terminal window
    # Give read-write access to system metadata
    chown -R AEROSPIKE-USER:AEROSPIKE-GROUP /opt/aerospike/smd
    

    # Give read-write access for persisting User-Defined Functions (UDFs)
    chown -R AEROSPIKE-USER:AEROSPIKE-GROUP /opt/aerospike/usr
    

    # If you are using file storage
    chown -R AEROSPIKE-USER:AEROSPIKE-GROUP /opt/aerospike/data/

  8. Tune the Linux kernel to the following required parameters. In an all-flash deployment, the following Linux kernel parameters are required for the node to start. Prepare these values before running the Aerospike server. Enable enforce-best-practices in aerospike.conf to prevent the server from starting when any best practice isn’t being followed.

    Terminal window
    /proc/sys/vm/dirty_bytes = 16777216
    /proc/sys/vm/dirty_background_bytes = 1
    /proc/sys/vm/dirty_expire_centisecs = 1
    /proc/sys/vm/dirty_writeback_centisecs = 10

  9. If you are using SSDs as raw devices or for the index as flash index: You must give ownership of the devices to the AEROSPIKE-USER. To give ownership you can either add AEROSPIKE-USER to the disk group or add a udev rule to the AEROSPIKE-USER.

    Add user to disk group.

    Terminal window
    sudo usermod -a -G nameOfDiskGroup AEROSPIKE-USER

    Or,

    Add a udev rule similar to the following to the file /etc/udev/rules.d/99-aerospike.rules. This rule sets AEROSPIKE-USER as the owner of the devices /dev/sdb and /dev/sdc.

    Terminal window
    KERNEL=="sd[bc]", OWNER="AEROSPIKE-USER"

    Save this file, then reload and trigger the udev rules.

    Terminal window
    udevadm control --reload-rules
    udevadm trigger

  10. Check for success After you make these changes, start the node.

    The Aerospike server can be started only by a root user or by a user with sudo permissions. The running process, however, is owned by the non-root user.

    For options on starting the server, see Aerospike Daemon Management.

    Verify with ipcs -m that the Aerospike shared memory segments are correctly owned.

    If there are errors, the Aerospike Daemon (asd) process does not start. Examine the logs for messages about which resources require attention.

Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?