[MCOL-4012] Enable ColumnStore to run as a non root user Created: 2020-05-20  Updated: 2021-01-25  Resolved: 2020-09-28

Status: Closed
Project: MariaDB ColumnStore
Component/s: installation
Affects Version/s: None
Fix Version/s: 5.4.1

Type: Task Priority: Major
Reporter: Roman Assignee: Roman
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
PartOf
includes MCOL-4194 Running As Non Root Failing Closed
includes MCOL-4195 CMAPI Cannot Communicate When Running... Closed
Problem/Incident
causes MCOL-4328 New segments files created as the res... Closed
Relates
relates to MCOL-4283 Crash/assertion failure after "RWLock... Closed

 Description   

MCS itself is perfectly fine running w/o root privileges except a couple of things:
ExeMgr, WriteEngine and PrimProc raise a number of open file descriptors so systemd units must contain LimitNOFILE=65536.
There are a number of directories that must have appropriate access modes and owners. Here is the list of related commands I run to get MCS working under an arbitrary user.

chown -R mcs /var/log/mariadb/columnstore/
 
chown -R mcs /etc/columnstore/
 
chown -R mcs /var/lib/columnstore/
 
chown -R mcs /tmp/columnstore_tmp_files/
 
chmod 764 /tmp/columnstore_tmp_files/

There is a relevant article on installing MCS under non-root user.

The upgrade from 1.2/4 to 1.5 must be tested.

 Comments   
Comment by Roman [ 2020-09-02 ]

4QA All MCS services now runs under mysql user. Plz run generic tests to confirm that MCS operates.

Comment by Daniel Lee (Inactive) [ 2020-09-15 ]

build tested: 1.5.4-1 (drone #631

Verified that ColumnStore processes are running under 'mysql'user, except:

root 13570 2.4 0.7 1392128 47264 ? Ssl 13:28 11:05 /opt/cmapi/python/bin/python3 -m cmapi_server

Development confirmed that is per design for now.

There is a permission issue for cpimport. During cpimport, if new .cdf files need to be created, the files are created under 'root' user. Therefore, queries would fail. LDI using batch insert seems to be fine.

MariaDB [mytest]> select count from t1;
ERROR 1815 (HY000): Internal error: An unexpected condition within the query caused an internal processing error within Columnstore. Please check the log files for more details. Additional Information: error in BatchPrimitivePro

crit.log

Sep 15 21:03:11 localhost PrimProc[13143]: 11.365443 |0|0|0| C 28 CAL0000: thr_popper: Error opening file for OID 3321; /var/lib/columnstore/data1/000.dir/000.dir/012.dir/249.dir/000.dir/FILE001.cdf; Operation not permitted

rw-rr- 1 root root 7938048 Sep 15 21:01 FILE003.cdf
rw-rr- 1 root root 13508608 Sep 15 21:01 FILE002.cdf
rw-rr- 1 root root 13508608 Sep 15 21:01 FILE001.cdf
rw-rr- 1 mysql mysql 13508608 Sep 15 21:01 FILE000.cdf
rw-rr- 1 mysql mysql 2097152 Sep 15 20:57 FILE000.cdf

Comment by Daniel Lee (Inactive) [ 2020-09-15 ]

As the title of the ticket suggested, cmapi should be running under a non-root user. If we cannot do that for now, we should change the ticket title.

Generated at Thu Feb 08 02:47:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.