Operating System User Accounts for MariaDB Xpand

Overview

MariaDB Xpand relies on several operating system user accounts which are automatically created during the installation process.

Default OS Users

MariaDB Xpand creates the following OS user accounts by default during the installation process. Passwordless SSH should be configured between Xpand nodes for these accounts:

OS User

Description

xpand

The Xpand processes run as the xpand Linux user. Upgrades are also performed as this user. It is not recommended to use this user for other tasks.

xpandm

This Linux user is intended to be used by administrators to work with the Xpand software. This user is typically configured to have its environment set for convenient use of the Xpand command-line tools, such as the clx command

To reduce confusion within your team and when working with MariaDB Support, we recommend leaving the Xpand Daemon user at the default (xpand). This default user name helps identify this Linux user as a daemon-only account that should not be used by administrators during normal operation

You may wish to use a different Linux user for the Xpand Management user. This can be specified as part of installation.

For example, if you normally log into Linux using a user named sysops, and you would like to manage Xpand while logged in as this sysops user, then during the Xpand installation, select sysops as the Management user instead of xpandm.

OS users cannot be modified once installation is complete.

Configure xpand and xpandm Linux users

When using the recommended options, the Xpand installer will automatically create the daemon (xpand) and management ( xpandm) users and grant the associated privileges. If you prefer to specify existing users, please note the following:

Xpand Daemon (default: xpand):

This Linux user should not be granted sudo privileges. Doing so would effectively allow the Xpand installation to run with root privileges.

To facilitate cluster-wide upgrades of the Xpand software, the xpand Linux user should have passwordless SSH access configured between Xpand nodes. See Configure SSH Authentication for instructions on how to set this up.

Xpand Management (default: xpandm):

This Linux user does not require sudo privileges.

To facilitate easy use of the Xpand command-line management tools, passwordless SSH access between Xpand nodes should be configured for this user.

Non-root vs Root installation and upgrade:

non-root (recommended)

root

Installation

performed as root

performed as root

Access the UI

http://ip_or_hostname:8080

http://ip_or_hostname

Upgrades

As the database user (xpand)

Root upgrade is not supported

As root

OS

CentOS 7/RHEL 7

CentOS 7/RHEL 7

There is no performance difference with running Xpand as a non-root user.

Differences between non-root and root:

  • Host-based authentication is not supported (see Configure SSH Authentication for more information on connectivity between nodes in Xpand non-root cluster)

  • If the database is in read only mode, taking a mysqldump requires using the --lock-tables=false option

Note

When expanding the device1 file on a non-root installation, use care to not fill up all available free space as a non-root user does not have the same permissions to inspect the file system and proactively provide warnings. By default Linux file systems reserve 5% of space to be usable just by root so that other non-root users won't actually fill up the disk to 100% leaving no space for the system components. Inspecting the system does not immediately show this space as unavailable.

Prepare a system for running as non-root

If you previously installed Xpand using a root-based install, perform the following steps (as root) to prepare a node for a non-root install:

shell> /opt/clustrix/bin/uninstall_clustrix
shell> rm /dev/shm/*

SSH Configuration

Xpand depends on the xpand and xpandm operating system user accounts.

Passwordless SSH authentication between nodes for these accounts is required for:

  • Connecting via SSH between nodes

  • Using the clx tool to collect logs, run diagnostics and perform cluster-wide actions

  • Upgrades

Xpand can configure passwordless SSH with automation if the nodes are configured to allow password authentication for SSH. Otherwise, passwordless SSH may need to be configured on each node manually.

To determine which instructions to use, follow the procedure below.

This action is performed on each Xpand node.

  1. On each node, confirm that password authentication is enabled for SSH:

    $ sudo grep -i -E "^PasswordAuthentication" /etc/ssh/sshd_config
    
  2. If the result is "yes" on all nodes, use Automatic Setup:

    PasswordAuthentication yes
    
  3. If the result is "no" on any node, use Manual Setup:

    PasswordAuthentication no
    

Automatic Setup

All Xpand nodes should have the same password for the same user account, but the passwords should differ for each separate user account.

This action is performed on each Xpand node.

  1. Set the password for the xpand system user account:

    $ sudo passwd xpand
    
  2. Set the password for the xpandm system user account:

    $ sudo passwd xpandm
    

After per-node steps are completed, this action is performed on one Xpand node.

  1. Configure public keys for the xpand system user account:

    $ sudo clx pubkeyinstall -l xpand
    

    The command will prompt for the xpand user account password, and will then connect to each Xpand node to configure passwordless SSH.

  2. Configure public keys for the xpandm system user account:

    $ sudo clx pubkeyinstall -l xpandm
    

    The command will prompt for the xpandm user account password, and will then connect to each Xpand node to configure passwordless SSH.

The following example shows output from clx pubkeyinstall:

server1: Generated key pair in /home/username/.ssh/
server2: Generated key pair in /home/username/.ssh/
server3: Generated key pair in /home/username/.ssh/
server4: Generated key pair in /home/username/.ssh/
server5: Generated key pair in /home/username/.ssh/
server1: Added public keys for nodes: server5, server1, server4, server3, server2
server2: Added public keys for nodes: server5, server1, server4, server3, server2
server3: Added public keys for nodes: server5, server1, server4, server3, server2
server4: Added public keys for nodes: server5, server1, server4, server3, server2
server5: Added public keys for nodes: server5, server1, server4, server3, server2

Manual Setup

For compact instructions, we have shortened the sample SSH public key strings with [ ... ]. These instructions are used once for the xpandm user, and used a second time for the xpand user.

Each step of this action is performed on each Xpand node before moving to the next step.

  1. On each Xpand node, create an SSH key pair:

    $ ssh-keygen -t rsa
    
  2. On each Xpand node, copy the public key from ~/.ssh/id_rsa.pub:

    $ cat ~/.ssh/id_rsa.pub
    ssh-rsa AAAAB3NzaC[ ... ]Vk81q0FxYQm5 xpandm@xpand-node1
    
  3. On each Xpand node, add all of the public keys to ~/.ssh/authorized_keys:

    ssh-rsa AAAAB3NzaC[ ... ]Vk81q0FxYQm5 xpandm@xpand-node1
    ssh-rsa AAAAB3NzaC[ ... ]tqUkwyatF3nH xpandm@xpand-node2
    ssh-rsa AAAAB3NzaC[ ... ]PPI9ifXqjg8/ xpandm@xpand-node3
    

    This should include the public key for the current Xpand node and all other Xpand nodes.

  4. On each Xpand node, ensure proper file permissions of ~/.ssh/authorized_keys:

    chmod 0600 ~/.ssh/authorized_keys
    
  5. On each Xpand node, test passwordless SSH access to each other Xpand node:

    $ ssh 192.0.2.2
    

    Substitute the IP address of each other Xpand node.

Verify SSH Connectivity

CLX provides a cmd command, which establishes an SSH connection with each Xpand node, changes into the current directory on the node, and executes the given command from that directory. The current directory must exist on every node and be one that the user can access.

Using a command like date (which prints to current date and time to stdout) you can test the SSH configuration for each Xpand node to all other Xpand nodes.

This action is performed on each Xpand node:

$ clx cmd date

--------------------------------------------------------------------------------
{nid: 1, hostname: xpand1, ip: 192.0.2.1}
Fri Aug 23 22:47:14 UTC 2021

--------------------------------------------------------------------------------
{nid: 2, hostname: xpand2, ip: 192.0.2.2}
Fri Aug 23 22:47:14 UTC 2021

--------------------------------------------------------------------------------
{nid: 3, hostname: xpand3, ip: 192.0.2.3}
Fri Aug 23 22:47:14 UTC 2021

Output should show the current date retrieved from each Xpand node.

Adding New Nodes

When new nodes are added to the cluster, the passwords for the non-root accounts (xpand and xpandm) will need to be manually set on the new nodes. Then run the clx pubkeyinstall from one of the existing nodes. It will generate ssh keys on the new nodes and push out the amended authorized_keys file.