Root access is not required for installation and operations

[jseldess]

Jesse Seldess commented:

From @dbist, a customer asked if cockroach can be installed, initialized, upgraded, downgraded, scaled, decommissioned, stopped, etc., without OS root access. According to @bdarnell, there are no cockroach basic operations that require root, though there are some cases where additional systems like systemd do for installation (called out in the docs here).

We should find a way to be explicit that root access isn't a requirement, and we may want to consider updating our deployment docs to use a non-root users (e.g., cockroach_user).

Jira Issue: DOC-582

[jseldess]

@taroface, @johnrk for triage and prioritization.

[sheaffej]

Agreed, and the fact that the database super-user is also named root is a common area of confusion. Although CockrochDB is not unique in this respect. Both PG and MySQL have the same problem as they have moved to deployments using non-privileged OS accounts (i.e. OS user is no longer root, but then initial DB admin is still named root)

[taroface]

How about the following updates:

• Add a callout to Production Checklist and all deployment docs stating that root access isn't a requirement
• Where necessary, add a step to deployment docs in which a non-root user e.g. cockroach is created

[drewdeally]

@jseldess following summary provided

Installation is written for a non-root user. 

The following are high level description of tasks which need to performed by root or sudo user to allow a non privileged user such as cockroach to complete install.   All steps assume unix user is cockroach.  

Privileged actions
Create Cockroach User
Access to Certificates directory 
Create Cockroach Data File System /Data
Set Owner /Data to Cockroach user
Update linux packages to latest 
sudo yum update
Time Synchronization setup for example
sudo apt-get install chrony -y
Install Cockroach Binary 
cp -i cockroach-v20.1.3.linux-amd64/cockroach /usr/local/bin/
unblock ports 26257 and 8080
firewall settings
Set file descriptor limits
example /etc/security/limits.conf adding nofile limits for cockroach
Using systemd
sudo systemctl start cockroach.root.service
Virtual Memory Settings

[jseldess]

Thank you, @drewdeally!

[BramGruneir]

I've had this request a few times now from customers, please prioritize this update. Note that this is not running the docker daemon as non-root, but using a non-root user to run cockroach itself.

It should be as simple as passing in the --user flag when calling docker run.

[taroface]

Related: https://cockroachlabs.slack.com/archives/C9C1Z1LLV/p1599728702070100

[piyush-singh]

cc @aaron-crl - Ryan when you are ready to pick this up please reach out to Aaron and me. We can discuss the necessary changes.

[exalate-issue-sync]

Andrew Deally (drewdeally) commented:
this maybe relevant but we have had requests for guidance on roles for example IAM roles for EC2

[exalate-issue-sync]

linville (mdlinville) commented:
I went looking for what this might involve with the current docs today, and it seems like there might be some code changes required first, such as the default client cert CA username: https://www.cockroachlabs.com/docs/stable/recommended-production-settings#security

Then step 2 here also requires you to set the plist to {{root:wheel}} ownership: https://www.cockroachlabs.com/docs/stable/recommended-production-settings#increase-the-file-descriptors-limit

Here are all the results for “root user” in the current docs as they stand:

https://www.cockroachlabs.com/docs/search?query=root+user

Docs probably needs an eng partner on this to figure out all the places to update if we want to remove any mention of running as the root user. The priority of this issue is pretty low. I will close this for now and we can reopen when it is more actionable.