Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.Original topic: tidb支持非root用户部署集群吗?
|
username: TiDBer_rYOSh9JN
The example in the official documentation uses the root user for installation and deployment. Does TiDB support installation and deployment of the cluster using a non-root user? Could you please share the documentation process for deploying with a non-root user?
Create a tidb user and password on each node as the root user:
|
username: # useradd tidb
# passwd tidb
Configure passwordless sudo on each node:
# visudo
Add the following content:
tidb ALL=(ALL) NOPASSWD:ALL
Log in to the control machine (21.72.124.43) as the tidb user and execute the following command:
ssh-keygen -t rsa
Configure mutual trust to each node:
ssh-copy-id -i /home/tidb/.ssh/id_rsa.pub 21.72.124.39
ssh-copy-id -i /home/tidb/.ssh/id_rsa.pub 21.72.124.40
...
Log in to the control machine as the tidb user and directly ssh to the node:
[tidb@localhost]# ssh 21.72.124.39
# sudo -su root
If the above command allows you to log in to node 39 and switch directly to the root user, it indicates that the passwordless sudo configuration is successful.
I wrote the installation and deployment documentation myself, you can refer to it here:
Of course, it’s supported. The core is to establish the SSH trust relationship with Ansible. Once that’s done, you can switch users and use TiUP to deploy the cluster.
Using sudo without a password essentially still makes you a root user… Can a regular user with normal permissions install and deploy?
Granting permissions to ordinary users is sufficient, but without passwordless mutual trust, the cluster cannot be deployed.
Ordinary users don’t need sudo permissions for passwordless mutual trust, right?
Using a non-root account, you still need to elevate privileges in the end.
Privilege escalation is quite normal. As long as it’s well-restricted, there’s no big issue.
You can use other users to deploy. The YAML file specifies the installation user, and if you use root to install, it will still be placed under the corresponding user. Generally, the tidb user is used.
Of course, it is supported, but the deployment user needs sudo privileges. You can grant the necessary permissions using visudo.
The biggest fear with non-root deployment is the various permission issues that can arise, which can sometimes be quite difficult to troubleshoot.
High-privilege users are only needed during deployment (expansion) to create TiDB-related services such as systemctl status xxx, etc. Routine maintenance does not require this; only the regular user specified in the configuration file during deployment is needed.
If the cluster’s machine can use the root user once, it’s simplest to use root for installation. After installation, it will automatically add the tidb user to run the cluster, and at this point, you can disable the root user. It’s best not to deploy tiup under root.
Sure, actually the root user will add a tidb user by default after installation. If you use other users, there may be various permission issues.
Supported, you need to configure sudo permissions. If sudo permissions are not configured, specify the tidb user in the yaml file and use the root user and password when deploying the cluster. This will automatically grant sudo permissions to the tidb user.
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: