1

I want to run elasticsearch as a systemd service in Amazon cloud VM. If I run it simply through command line shell it will run in background in subshell but as soon as the connection is terminated the process is killed.

So, I created a service /etc/systemd/system/multi-user.target.wants/indexstorage.service

[Unit]
Description=indexing-store

[Service]
Type=forking
ExecStart=/usr/local/elasticsearch-5.2.2/bin/elasticsearch
TimeoutSec=infinity
Restart=always

[Install]
WantedBy=multi-user.target

And copied to /etc/systemd/system/indexstorage.service.

Then as usual steps, reloaded and enabled indexstorage.service.

But when I start indexstorage.service, it asks for root password of the VM which is actually a Amazon cloud machine.

ubuntu@ip-172-21-3-18:~$ /bin/systemctl start indexstorage.service 
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'indexstorage.service'.
Authenticating as: Ubuntu (ubuntu)
Password: 
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Failed to start indexstorage.service: Access denied
See system logs and 'systemctl status indexstorage.service' for details.

for which I don't know the password. And if run it as sudo user, it will never run because elasticsearch restricts running as sudo user for safety reasons.

ubuntu@ip-172-21-3-18:~$ sudo /bin/systemctl start indexstorage.service 
Job for indexstorage.service failed because the control process exited with error code. See "systemctl status indexstorage.service" and "journalctl -xe" for details.

My current user/ groups is ubuntu:ubuntu

ubuntu@ip-172-21-3-18:~$ users 
ubuntu

ubuntu@ip-172-21-3-18:~$ groups
ubuntu adm dialout cdrom floppy sudo audio dip video plugdev netdev lxd

I tried changing the /etc/sudoers too to allow access for groups ubuntu but has no effect, 

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

%ubuntu ALL=NOPASSWD: /bin/systemctl daemon-reload
%ubuntu ALL=NOPASSWD: /bin/systemctl restart indexstorage.service
%ubuntu ALL=NOPASSWD: /bin/systemctl stop indexstorage.service
%ubuntu ALL=NOPASSWD: /bin/systemctl start indexstorage.service

Or, 

%ubuntu ubuntu=NOPASSWD: /bin/systemctl daemon-reload
%ubuntu ubuntu=NOPASSWD: /bin/systemctl restart indexstorage.service
%ubuntu ubuntu=NOPASSWD: /bin/systemctl stop indexstorage.service
%ubuntu ubuntu=NOPASSWD: /bin/systemctl start indexstorage.service

When I start service, 

ubuntu@ip-172-21-3-18:~$ /bin/systemctl start indexstorage.service 
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'indexstorage.service'.
Authenticating as: Ubuntu (ubuntu)
Password:

My temporary solution for now is running it as a noHUP process, which will ignore hangup signals

nohup /usr/local/elasticsearch-5.2.2/bin/elasticsearch &

But question on this post is how can I run systemctl commands as a non-sudo user?

References

How could we allow non-root users to control a system.d service?

Community
  • 1
  • 1
prayagupa
  • 30,204
  • 14
  • 155
  • 192
  • Would installing it as a user service suffice - `--user`? – spinkus Apr 17 '17 at 01:16
  • are you saying supply `--user` to`systemctl` (``/bin/systemctl start indexstorage.service --user ubuntu``)? It won't take though. – prayagupa Apr 17 '17 at 01:47
  • `--user` sets it up as a per user service. You don't need the "ubuntu" arg. On review, this is actually probably not what you want and wont work. When you say "And if run it as sudo user, it will never run because elasticsearch restricts running as sudo use.". Really?? So if you were to login as "admin" and `sudo systemctl start ...` it wouldn't work because it's sudoed? Don't believe. What's the error you service gives - `sudo journalctl -xe`? – spinkus Apr 17 '17 at 02:10
  • Yes, elasticsearch doesn't run under root user, thats true. What they call [safety reasons](https://discuss.elastic.co/t/why-is-it-elasticsearch-is-not-allowed-to-run-as-root/60413/4) – prayagupa Apr 17 '17 at 02:13
  • `systemctl --user start indexstorage.service` doesn't work either with error `Unit indexstorage.service not found.` I will try [installing the service in `/etc/systemd/user` and see](https://superuser.com/a/477472/107419). – prayagupa Apr 17 '17 at 02:35
  • My bad, need user specific location. See answer. – spinkus Apr 17 '17 at 02:45

1 Answers1

2

To run a SystemD service as ubuntu user you can use User=ubuntu in the service file. See man systemd.exec.

Alternatively you can install the service as a per user service. In that case you start the service with systemctl --user start <service> and you have to put your unit files in a per user directory, usually $HOME/.config/systemd/user, $HOME/.local/share/systemd/user. See man systemd.unit.

spinkus
  • 7,694
  • 4
  • 38
  • 62