How to Run FileCatalyst Server as a Non-Root Service
Posted by Jeyram Sachchithananthan, Last modified by Jeyram Sachchithananthan on 17 August 2021 02:05 PM

Overview
The FileCatalyst Server has the ability to run as a service on Linux installations. By default, the service runs as the root user to facilitate the install and configuration of the service and has read/write access to all mount points used.
Running the FileCatalyst Server as a non-root user can also be accomplished, and this article will provide steps on how to achieve this.

Note:

  • Default ports used by the FileCatalyst Server must be on a port range above 1024. The port range of 1-1024 is restricted to root users.
  • Some features (such as chown on uploads) will not work, as the user running the application will no longer have file system access to perform the operations.
  • Please ensure that the user running the application will also have full access (read, read-write) to the user's home directories and any mount points used.
  • The instructions below are intended for a fresh install; if you are converting an existing installation, make sure all mount and storage paths are owned by the user running the FileCatalyst Server service.


Environment
FileCatalyst Server v3.8.2 and newer
Linux OS.

Resolution

Note: The following steps must be performed as the root user. Do not skip any steps.

  1. Install the FileCatalyst Server in the default recommended path, which is /opt/utechsoft/server.

  2. Complete the rest of the installation, such as enabling the Remote Admin and setting up a Remote Administration password as per standard instructions. For further information, please refer to our Quickstart Guide.

    Note:
    Licensing of the FileCatalyst Server should be skipped. Licensing should be performed once the FileCatalyst Server is set to run as a non-root user the instructions are available later in this guide.

    > root@deb10:/opt# mkdir /opt/utechsoft/server
    root@deb10:/opt# cd /opt/utechsoft/server
    > root@deb10:/opt/utechsoft/server# tar -zxvf  fc_server.tar.gz

  3. Install the service scripts found under the /opt/utechsoft/server/service_wrapper/ directory. You can use the /opt/utechsoft/server/service_wrapper/SERVICE_WRAPPER_README for assistance.

    root@deb10:/opt# cd /opt/utechsoft/server/service_wrapper/
    > root@deb10:/opt/utechsoft/server/service_wrapper#  ./install.sh

  4. Start the service script (it will run as root for now). Use the command service fcserver start to start the service.

    Start the service:
    > root@deb10:/opt/utechsoft/server/service_wrapper# service fcserver start

    Check status:
    > root@deb10:/opt/utechsoft/server/service_wrapper# service fcserver status

    Verify service properties and PID:
    > root@deb10:/opt/utechsoft/server/service_wrapper# ps -ef  | grep java

  5. Stop the service using service fcserver stop.

    > root@deb10:/opt/utechsoft/server/service_wrapper# service fcserver stop

    At this point, we know we have a working FileCatalyst Server ready to be configured as a non-root service

  6. Ensure a user has been defined on the operating system.  For this article, the user is called fcuser.

  7. Modify the application directory so that the fcuser user owns it.

    root@deb10:/opt/utechsoft/server# chown -R fcuser:fcuser /opt/utechsoft/server/

    EG: 



  8. Modify the configuration file fcconf. conf, and ensure the control channel ports are set above 1024.  Only the root user can open up lower-level ports (1-1023).

    These have standard values below 1024, so they need to be modified to use higher port values. For example:

    FCServer.server.config.port=2021
    FCServer.server.config.ssl.port=2990

  9. Modify service script /etc/systemd/system/fcserver.service by running the command systemctl edit --full fcserver.service to make the following changes:

    >root@deb10:/opt/utechsoft# systemctl edit --full fcserver.service

    Add the following lines under the [Service] to run this service as the fcuser.
    User=fcuser
    Group=fcuser

    Add a PIDFile entry to specify a custom path
    pidfile=/opt/utechsoft/server/run/wrapper.fcserver.pid

    Add the custom PIDFile path to the ExecStart/ExecStop Process
    -Dwrapper.pidfile=/opt/utechsoft/server/run/wrapper.fcserver.pid

    EG: 



  10. Create an accessible directory where the service script can record PID, change the ownership to the non-root user.  

    >root@deb10:/opt/utechsoft/server#mkdir -p /opt/utechsoft/server/run/
    >root@deb10:/opt/utechsoft/server#chown -R fcuser:fcuser /opt/utechsoft/server/run/
  11. Verify and change the ownership of the directories created by the FileCatalyst Server in /tmp to the new user.

    >root@deb10:/opt/utechsoft/server# chown -R fcuser:fcuser /tmp/FileCatalystTemp/
    >root@deb10:/opt/utechsoft/server#  chown -R fcuser:fcuser /tmp/hsperfdata_fcuser/

    EG: 


  12.  Verify and change the permissions of the of newly created SYSTEM_ID and requestStr.properties files to read/write with running the command chmod a+rw:

    root@deb10:/opt/utechsoft/server#chmod a+rw /opt/utechsoft/server/SYSTEM_ID
    root@deb10:/opt/utechsoft/server#chmod a+rw /opt/utechsoft/server/requestStr.properties

    EG: 


  13. Since we have made some changes to the service package fcserver.service, we have to run the command below to delete the previous configuration, re-run all generators which will reload the new configuration.

    > root@deb10:/opt/utechsoft/server#systemctl daemon-reload

    Now the FileCatalyst service should be able to be started by a non-root user. Run the following commands:

    > [email protected]:/opt/utechsoft/server# service fcserver start
    > [email protected]:/opt/utechsoft/server# service fcserver status

    EG:



  14. Verify that the FileCatalyst Server is running by executing the following command :

    > [email protected]:/opt/utechsoft/server# ps -ef | grep java

    EG


  15. Please refer to our Quickstart Guide and Licensing KB to license the FileCatalyst Server as well as enabling the Remote Administration of the FileCatalyst Server.

  16. Run these commands one last time prior to starting the FileCatalyst Server service as non-root user service:

    > [email protected]:/opt/utechsoft/server# service fcserver stop
    [email protected]:/opt/utechsoft/server# chown -R fcuser:fcuser /opt/utechsoft/server/
    [email protected]:/opt/utechsoft/server#  chmod a+rw /opt/utechsoft/server/SYSTEM_ID

    It is also highly recommended to check the service wrapper log file (/opt/utechsoft/server/logs/wrapper.log) to ensure that no permission errors nor exceptions are seen. These are indications that you need to take steps in giving file system access to the user running the FileCatalyst Server

Comments (0)