Change the user running the Ignition Gateway service

ISEMAREN_AAG · January 13, 2023, 10:03am

Good morning.

I was testing the Python subprocess module in Ignition, and noticed that the user running the Ignition Gateay service is root (Linux).

Is it possible to change this user? Would this change have any negative consequences?

Best regards.

victordcq · January 13, 2023, 11:54am

You will have to run the service as an other user.

This can affect file access, or the timezone/locale amongst other things.

should be easy enough to revert if it causes trouble i guess xd

pturmel · January 13, 2023, 12:45pm

You set this in the SystemD unit file for the Ignition service. Consider specifying AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE to allow Ignition to use ports 80 & 443 and to use built-in ping when not root.

Make sure to change ownership of all Ignition files and folders to the new user.

ISEMAREN_AAG · January 13, 2023, 2:41pm

I have edited the service configuration: "sudo nano /etc/systemd/system/Ignition-Gateway.service", but the "AmbientCapabilities" variable does not exist.

Should I add it like this: AmbientCapabilities=CAP_NET_BIND_SERVICE?

Thank you.

pturmel · January 13, 2023, 3:27pm

Yes, you add it yourself, in the [Service] section.

kcollins1 · January 13, 2023, 6:09pm

Also, consider using a systemd override file instead of editing the main file, e.g.:

systemctl edit Ignition-Gateway.service

This will create an override file at /etc/systemd/system/Ignition-Gateway.service.d/override.conf that will persist through an Ignition upgrade (that may reset/revert that base configuration file).

ISEMAREN_AAG · January 13, 2023, 7:08pm

@kcollins1 I have followed your instructions but now I have this problem:

kcollins1 · January 13, 2023, 7:10pm

You may need to include an explicit ExecStart line with empty content to negate the base settings, e.g.

ExecStart=
ExecStart=<your new stuff>

kcollins1 · January 13, 2023, 7:12pm

I should probably also mention that the override file is for augmenting the base file, you don't need to put the contents of the original file in there, otherwise you'll end up with conflicts there.

ISEMAREN_AAG · January 13, 2023, 7:48pm

Now I have another error:
runuser: cannot be used by users other than root

kcollins1 · January 13, 2023, 8:47pm

What do you have currently in both your:

/etc/systemd/system/Ignition-Gateway.service
/etc/systemd/system/Ignition-Gateway.service.d/override.conf

... files?

ISEMAREN_AAG · January 16, 2023, 9:01am

Good morning.
Finally I decided to restore the file as it was: User=root.
This is giving me too many problems.
Sorry for the inconvenience.