Operating System User Accounts for MariaDB Xpand
This page is part of MariaDB's Documentation.
The parent of this page is: Operating System User Accounts
Topics on this page:
Overview
MariaDB Xpand relies on several operating system user accounts which are automatically created during the installation process.
Default OS Users
MariaDB Xpand creates the following OS user accounts by default during the installation process. Passwordless SSH should be configured between Xpand nodes for these accounts:
OS User | Description |
---|---|
| The Xpand processes run as the |
| This Linux user is intended to be used by administrators to work with the Xpand software. This user is typically configured to have its environment set for convenient use of the Xpand command-line tools, such as the clx command |
To reduce confusion within your team and when working with MariaDB Support, we recommend leaving the Xpand Daemon user at the default (xpand
). This default user name helps identify this Linux user as a daemon-only account that should not be used by administrators during normal operation
You may wish to use a different Linux user for the Xpand Management user. This can be specified as part of installation.
For example, if you normally log into Linux using a user named sysops
, and you would like to manage Xpand while logged in as this sysops
user, then during the Xpand installation, select sysops
as the Management user instead of xpandm
.
OS users cannot be modified once installation is complete.
Configure xpand and xpandm Linux users
When using the recommended options, the Xpand installer will automatically create the daemon (xpand
) and management ( xpandm
) users and grant the associated privileges. If you prefer to specify existing users, please note the following:
Xpand Daemon (default: xpand
):
This Linux user should not be granted sudo privileges. Doing so would effectively allow the Xpand installation to run with root privileges.
To facilitate cluster-wide upgrades of the Xpand software, the xpand
Linux user should have passwordless SSH access configured between Xpand nodes. See Configure SSH Authentication for instructions on how to set this up.
Xpand Management (default: xpandm
):
This Linux user does not require sudo privileges.
To facilitate easy use of the Xpand command-line management tools, passwordless SSH access between Xpand nodes should be configured for this user.
Non-root vs Root installation and upgrade:
non-root (recommended) | root | |
---|---|---|
Installation | performed as root | performed as root |
Access the UI | http://ip_ | http://ip_ |
Upgrades | As the database user ( Root upgrade is not supported | As root |
OS | CentOS 7/RHEL 7 | CentOS 7/RHEL 7 |
There is no performance difference with running Xpand as a non-root user.
Differences between non-root and root:
Host-based authentication is not supported (see Configure SSH Authentication for more information on connectivity between nodes in Xpand non-root cluster)
If the database is in read only mode, taking a mysqldump requires using the --lock-tables=false option
Note
When expanding the device1 file on a non-root installation, use care to not fill up all available free space as a non-root user does not have the same permissions to inspect the file system and proactively provide warnings. By default Linux file systems reserve 5% of space to be usable just by root so that other non-root users won't actually fill up the disk to 100% leaving no space for the system components. Inspecting the system does not immediately show this space as unavailable.
Prepare a system for running as non-root
If you previously installed Xpand using a root-based install, perform the following steps (as root) to prepare a node for a non-root install:
shell> /opt/clustrix/bin/uninstall_clustrix
shell> rm /dev/shm/*
SSH Configuration
Xpand depends on the xpand
and xpandm
operating system user accounts.
Passwordless SSH authentication between nodes for these accounts is required for:
Connecting via SSH between nodes
Using the
clx
tool to collect logs, run diagnostics and perform cluster-wide actions
Xpand can configure passwordless SSH with automation if the nodes are configured to allow password authentication for SSH. Otherwise, passwordless SSH may need to be configured on each node manually.
To determine which instructions to use, follow the procedure below.
This action is performed on each Xpand node.
On each node, confirm that password authentication is enabled for SSH:
$ sudo grep -i -E "^PasswordAuthentication" /etc/ssh/sshd_config
If the result is "yes" on all nodes, use Automatic Setup:
PasswordAuthentication yes
If the result is "no" on any node, use Manual Setup:
PasswordAuthentication no
Automatic Setup
All Xpand nodes should have the same password for the same user account, but the passwords should differ for each separate user account.
This action is performed on each Xpand node.
Set the password for the
xpand
system user account:$ sudo passwd xpand
Set the password for the
xpandm
system user account:$ sudo passwd xpandm
After per-node steps are completed, this action is performed on one Xpand node.
Configure public keys for the
xpand
system user account:$ sudo clx pubkeyinstall -l xpand
The command will prompt for the
xpand
user account password, and will then connect to each Xpand node to configure passwordless SSH.Configure public keys for the
xpandm
system user account:$ sudo clx pubkeyinstall -l xpandm
The command will prompt for the
xpandm
user account password, and will then connect to each Xpand node to configure passwordless SSH.
The following example shows output from clx pubkeyinstall
:
server1: Generated key pair in /home/username/.ssh/
server2: Generated key pair in /home/username/.ssh/
server3: Generated key pair in /home/username/.ssh/
server4: Generated key pair in /home/username/.ssh/
server5: Generated key pair in /home/username/.ssh/
server1: Added public keys for nodes: server5, server1, server4, server3, server2
server2: Added public keys for nodes: server5, server1, server4, server3, server2
server3: Added public keys for nodes: server5, server1, server4, server3, server2
server4: Added public keys for nodes: server5, server1, server4, server3, server2
server5: Added public keys for nodes: server5, server1, server4, server3, server2
Manual Setup
For compact instructions, we have shortened the sample SSH public key strings with [ ... ]
. These instructions are used once for the xpandm
user, and used a second time for the xpand
user.
Each step of this action is performed on each Xpand node before moving to the next step.
On each Xpand node, create an SSH key pair:
$ ssh-keygen -t rsa
On each Xpand node, copy the public key from
~/.ssh/id_rsa.pub
:$ cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC[ ... ]Vk81q0FxYQm5 xpandm@xpand-node1
On each Xpand node, add all of the public keys to
~/.ssh/authorized_keys
:ssh-rsa AAAAB3NzaC[ ... ]Vk81q0FxYQm5 xpandm@xpand-node1 ssh-rsa AAAAB3NzaC[ ... ]tqUkwyatF3nH xpandm@xpand-node2 ssh-rsa AAAAB3NzaC[ ... ]PPI9ifXqjg8/ xpandm@xpand-node3
This should include the public key for the current Xpand node and all other Xpand nodes.
On each Xpand node, ensure proper file permissions of
~/.ssh/authorized_keys
:chmod 0600 ~/.ssh/authorized_keys
On each Xpand node, test passwordless SSH access to each other Xpand node:
$ ssh 192.0.2.2
Substitute the IP address of each other Xpand node.
Verify SSH Connectivity
CLX provides a cmd
command, which establishes an SSH connection with each Xpand node, changes into the current directory on the node, and executes the given command from that directory. The current directory must exist on every node and be one that the user can access.
Using a command like date
(which prints to current date and time to stdout) you can test the SSH configuration for each Xpand node to all other Xpand nodes.
This action is performed on each Xpand node:
$ clx cmd date
--------------------------------------------------------------------------------
{nid: 1, hostname: xpand1, ip: 192.0.2.1}
Fri Aug 23 22:47:14 UTC 2021
--------------------------------------------------------------------------------
{nid: 2, hostname: xpand2, ip: 192.0.2.2}
Fri Aug 23 22:47:14 UTC 2021
--------------------------------------------------------------------------------
{nid: 3, hostname: xpand3, ip: 192.0.2.3}
Fri Aug 23 22:47:14 UTC 2021
Output should show the current date retrieved from each Xpand node.
Adding New Nodes
When new nodes are added to the cluster, the passwords for the non-root accounts (xpand
and xpandm
) will need to be manually set on the new nodes. Then run the clx pubkeyinstall
from one of the existing nodes. It will generate ssh keys on the new nodes and push out the amended authorized_keys
file.