Changing Usergroup of asd process under systemd


#1

Changing Usergroup of asd process under systemd

Problem Description

When using the configuration (aerospike.conf) user and group stanza, the effects do not take place at all. The asd process still runs as root.

https://www.aerospike.com/docs/reference/configuration#user

https://www.aerospike.com/docs/reference/configuration#group

Explanation

Using standard sysVinit (/etc/init.d/) startup (as well as upstart), asd process daemonizes. This means it performs a double-fork (fork new process, detach from and terminate current). This is a standard procedure under linux. During this double-forking, aerospike forks a new asd process with the selected user/group. This is how this user/group selection works.

Under systemd, this does not happen. Systemd expects the asd process to remain in the foreground and output it’s logging to stdout, so that journald can take care of the log dispatch. As such, asd allows for this behaviour using the following process parameter: --fgdaemon

The output of ps will show asd process parameters as follows under systemd:

/usr/bin/asd --config-file /etc/aerospike/aerospike.conf --fgdaemon

As the asd daemon stays in the foreground, not detaching from the current stdout/stderr/stdin pipes, outputting logs to stdout, as per systemd design -> it does not fork. Since asd does not fork, it cannot change it’s own user/group it runs under. This results in asd process running under whatever user systemd starts it under - by default ‘root’.

Solution

Systemd allows you to specify the user/group under which a process should be run in an addon configuration to it, as follows (change aerospike to the chosen user/group to run under. Note that the user/group MUST resolve in PAM - i.e. MUST exist!):

cat > /etc/systemd/system/aerospike.service.d/user.conf <<EOF
[Service]
User=aerospike
Group=aerospike
EOF

Keywords

ASD SYSTEMD USER GROUP

Timestamp

10/27/17