Does TiDB support deploying clusters with non-root users?

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb支持非root用户部署集群吗?

| username: TiDBer_rYOSh9JN

The example in the official documentation uses the root user for installation and deployment. Does TiDB support installation and deployment of the cluster using a non-root user? Could you please share the documentation process for deploying with a non-root user?

| username: TiDBer_小阿飞 | Original post link

Create a tidb user and password on each node as the root user:

# useradd tidb
# passwd tidb

2. Configure passwordless sudo

Configure passwordless sudo on each node:

# visudo

Add the following content:


3. Configure mutual trust from the control machine to other nodes

Log in to the control machine ( as the tidb user and execute the following command:

ssh-keygen -t rsa

Configure mutual trust to each node:

ssh-copy-id -i /home/tidb/.ssh/
ssh-copy-id -i /home/tidb/.ssh/

4. Test mutual trust

Log in to the control machine as the tidb user and directly ssh to the node:

[tidb@localhost]# ssh
# sudo -su root

If the above command allows you to log in to node 39 and switch directly to the root user, it indicates that the passwordless sudo configuration is successful.

| username: TiDBer_小阿飞 | Original post link

I wrote the installation and deployment documentation myself, you can refer to it here:

| username: GreenGuan | Original post link

Of course, it’s supported. The core is to establish the SSH trust relationship with Ansible. Once that’s done, you can switch users and use TiUP to deploy the cluster.

| username: TiDBer_rYOSh9JN | Original post link

Using sudo without a password essentially still makes you a root user… Can a regular user with normal permissions install and deploy?

| username: TiDBer_小阿飞 | Original post link

Granting permissions to ordinary users is sufficient, but without passwordless mutual trust, the cluster cannot be deployed.

| username: TiDBer_rYOSh9JN | Original post link

Ordinary users don’t need sudo permissions for passwordless mutual trust, right?

| username: forever | Original post link

Setting mutual trust can be done by any user.

| username: 源de爸 | Original post link

Using a non-root account, you still need to elevate privileges in the end.

| username: 连连看db | Original post link

Privilege escalation is quite normal. As long as it’s well-restricted, there’s no big issue.

| username: Soysauce520 | Original post link

You can use other users to deploy. The YAML file specifies the installation user, and if you use root to install, it will still be placed under the corresponding user. Generally, the tidb user is used.

| username: RenlySir | Original post link

Of course, it is supported, but the deployment user needs sudo privileges. You can grant the necessary permissions using visudo.

| username: zhaokede | Original post link

The biggest fear with non-root deployment is the various permission issues that can arise, which can sometimes be quite difficult to troubleshoot.

| username: chenhanneu | Original post link

High-privilege users are only needed during deployment (expansion) to create TiDB-related services such as systemctl status xxx, etc. Routine maintenance does not require this; only the regular user specified in the configuration file during deployment is needed.

| username: zhanggame1 | Original post link

If the cluster’s machine can use the root user once, it’s simplest to use root for installation. After installation, it will automatically add the tidb user to run the cluster, and at this point, you can disable the root user. It’s best not to deploy tiup under root.

| username: YuchongXU | Original post link

Support, configure sudo

| username: 随缘天空 | Original post link

Sure, actually the root user will add a tidb user by default after installation. If you use other users, there may be various permission issues.

| username: Daniel-W | Original post link

Supported, you need to configure sudo permissions. If sudo permissions are not configured, specify the tidb user in the yaml file and use the root user and password when deploying the cluster. This will automatically grant sudo permissions to the tidb user.

| username: zhang_2023 | Original post link

Definitely support it, just need sudo permissions :grinning:

| username: DBAER | Original post link

Support, just configure sudo permissions.