Skip to content

Commit

Permalink
Update non-root operation
Browse files Browse the repository at this point in the history
* Remove non-root instructions for docker systemd; behavior is different for docker
* Change listening port pairs to have container continue to listen on port 514 (`-p 2514:514`)
  • Loading branch information
Mark Bonsack committed Feb 3, 2020
1 parent 61ebed7 commit 1f3e1ee
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 59 deletions.
56 changes: 0 additions & 56 deletions docs/gettingstarted/docker-systemd-general.md
Original file line number Diff line number Diff line change
Expand Up @@ -293,59 +293,3 @@ If you see http server errors such as 4xx or 5xx responses from the http (HEC) e
incorrectly. If validating/fixing the configuration fails to correct the problem, proceed to the "Troubleshooting" section for more
information.

# SC4S non-root operation

To operate SC4S as a user other than root, follow the instructions above, with these modifications:

## Prepare SC4S user

Create a non-root user in which to run SC4S and prepare podman for non-root operation:

```bash
sudo useradd -m -d /home/sc4s -s /bin/bash sc4s
sudo su - sc4s
mkdir -p /home/sc4s/local
mkdir -p /home/sc4s/archive
mkdir -p /home/sc4s/tls
podman system migrate
```

## Initial Setup

NOTE: Be sure to exectute all instructions below as the SC4S user created above with the exception of changes to the unit file,
which requires sudo access.

Make the following changes to the unit file(s) configured in the main section:

* Add the name of the user created above immediately after the Service declaration, as shown in the snippet below:

```
[Service]
User=sc4s
```

* Replace all references to `/opt/sc4s` in the "Environment" declarations with `/home/sc4s`. Make sure _not_ to change the
right-hand-side of the mount. For example:

```
Environment="SC4S_LOCAL_CONFIG_MOUNT=-v /home/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z"
```

* Replace all references to standard UDP/TCP listening ports (typically 514) with arbirtrary high-numbered (> 1024) ports so
that the container can listen without root privleges:

```
ExecStart=/usr/bin/docker run -p 2514:2514 -p 2514:2514/udp -p 6514:6514
```

If not done in the "Prepare SC4S user" above, create the three local mount directories as instructed in the main instructions,
replacing the head of the directory (`/opt/sc4s`) with the sc4s service user's home directory as shown below:
```
mkdir /home/sc4s/local
mkdir /home/sc4s/archive
mkdir /home/sc4s/tls
```

## Remaining Setup

The remainder of the setup can be followed directly from the main setup instructions.
7 changes: 4 additions & 3 deletions docs/gettingstarted/podman-systemd-general.md
Original file line number Diff line number Diff line change
Expand Up @@ -313,11 +313,12 @@ right-hand-side of the mount. For example:
Environment="SC4S_LOCAL_CONFIG_MOUNT=-v /home/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z"
```

* Replace all references to standard UDP/TCP listening ports (typically 514) with arbirtrary high-numbered (> 1024) ports so
that the container can listen without root privleges:
* Replace all references to standard UDP/TCP outside listening ports (typically 514) on the _left hand side only_ of the port pairs
with arbirtrary high-numbered (> 1024) ports so that the container can listen without root privleges. The right hand side of the pairs
(also typically 514) should remain unchanged:

```
ExecStart=/usr/bin/podman run -p 2514:2514 -p 2514:2514/udp -p 6514:6514
ExecStart=/usr/bin/podman run -p 2514:514 -p 2514:514/udp -p 6514:6514
```

If not done in the "Prepare SC4S user" above, create the three local mount directories as instructed in the main instructions,
Expand Down

0 comments on commit 1f3e1ee

Please sign in to comment.