# Configure Aerospike to run as non-root This page describes how to configure Aerospike to run as a non-root user. On an Aerospike system running with the default root privileges, a non-root user on the same system cannot access the logs collected by `collectlogs`. ## Configure an Aerospike node Use the following steps to configure a new installation of Aerospike to run as a non-root user. 1. If necessary, install Aerospike as described in the [install documentation](https://aerospike.com/docs/database/install/linux). 2. If upgrading an existing installation: 1. Stop the Aerospike `asd` process. See [Aerospike daemon management](https://aerospike.com/docs/database/manage/database/daemon). 2. Check the ownership of the shared memory segments. Segments with the prefix `0xae` are Aerospike primary index, segments with the prefix `0xa2` are Aerospike secondary index, and segments with the prefix `0xad` store data for an in-memory namespace. Terminal window ```bash ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0xae001100 0 root 666 1073741824 1 0xae002100 1 root 666 1073741824 1 0xad001000 2 root 666 536870912 1 0xad001001 3 root 666 536870912 1 ``` 3. Remove the existing shared memory blocks owned by Aerospike (if not storage engine memory), then restart Aerospike. This forces a cold start with shared memory blocks created by the non-root user and group. Terminal window ```bash ipcs | grep -oE "^0xa[2de][0-9a-f]*" | sudo xargs -i ipcrm -M {} ``` To avoid a cold restart, use a special script to change ownership of shared memory. For more information, see [Fast restart](https://aerospike.com/docs/database/manage/database/fast-start). 3. Configure `User` and `Group` to root in `/lib/systemd/system/aerospike.service`. Terminal window ```bash [Service] User=AEROSPIKE-USER Group=AEROSPIKE-GROUP ``` 4. Ensure that the server is configured to use console logging. Terminal window ```bash logging { console { context any info } } ``` 5. Configure file resources used by namespaces. If your namespace data is configured for persistence to a file, AEROSPIKE-USER must have write permissions creation permission for the directory with the specified file. Example: Terminal window ```bash namespace bar { ... storage-engine device { file /opt/aerospike/data/bar.data ... } } ``` 6. If you are using SSDs as raw devices, you must give ownership of the devices to the AEROSPIKE-USER. To give ownership you can either add AEROSPIKE-USER to the disk group, or add a udev rule to the AEROSPIKE-USER. 1. Add user to disk group. Terminal window ```bash sudo usermod -a -G nameOfDiskGroup AEROSPIKE-USER ``` Or, 2. Add a udev rule, similar to the following, to the file `/etc/udev/rules.d/99-aerospike.rules`. This rule sets AEROSPIKE-USER as the owner of the devices `/dev/sdb` and `/dev/sdc`. Terminal window ```bash KERNEL=="sd[bc]", OWNER="AEROSPIKE-USER" ``` Save this file, then reload and trigger the udev rules. Terminal window ```bash udevadm control --reload-rules udevadm trigger ``` SSDs used as filesystems, such as a [flash index](https://aerospike.com/docs/database/manage/namespace/primary-index/#primary-index-on-flash), need the same directory ownership and permissions detailed in Step 2. 7. Change ownership of additional directories. Terminal window ```bash # Give read-write access to system metadata chown -R AEROSPIKE-USER:AEROSPIKE-GROUP /opt/aerospike/smd # Give read-write access for persisting User-Defined Functions (UDFs) chown -R AEROSPIKE-USER:AEROSPIKE-GROUP /opt/aerospike/usr # If you are using file storage chown -R AEROSPIKE-USER:AEROSPIKE-GROUP /opt/aerospike/data/ ``` 8. Tune the Linux kernel to the following required parameters. In an all-flash deployment, the following Linux kernel parameters are required for the node to start. Prepare these values before running the Aerospike server. Enable `enforce-best-practices` in `aerospike.conf` to prevent the server from starting when any best practice isn’t being followed. Terminal window ```bash /proc/sys/vm/dirty_bytes = 16777216 /proc/sys/vm/dirty_background_bytes = 1 /proc/sys/vm/dirty_expire_centisecs = 1 /proc/sys/vm/dirty_writeback_centisecs = 10 ``` 9. If you are using SSDs as raw devices or for the index as [flash index](https://aerospike.com/docs/database/manage/namespace/primary-index/#primary-index-on-flash): You must give ownership of the devices to the AEROSPIKE-USER. To give ownership you can either add AEROSPIKE-USER to the disk group or add a udev rule to the AEROSPIKE-USER. Add user to disk group. Terminal window ```bash sudo usermod -a -G nameOfDiskGroup AEROSPIKE-USER ``` Or, Add a udev rule similar to the following to the file `/etc/udev/rules.d/99-aerospike.rules`. This rule sets AEROSPIKE-USER as the owner of the devices `/dev/sdb` and `/dev/sdc`. Terminal window ```bash KERNEL=="sd[bc]", OWNER="AEROSPIKE-USER" ``` Save this file, then reload and trigger the udev rules. Terminal window ```bash udevadm control --reload-rules udevadm trigger ``` 10. Check for success After you make these changes, start the node. The Aerospike server can be started only by a root user or by a user with sudo permissions. The running process, however, is owned by the non-root user. For options on starting the server, see [Aerospike Daemon Management](https://aerospike.com/docs/database/manage/database/daemon). Verify with `ipcs -m` that the Aerospike shared memory segments are correctly owned. If there are errors, the Aerospike Daemon (asd) process does not start. Examine the logs for messages about which resources require attention.