You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Kirk Baker <ki...@lexicalintelligence.com> on 2023/04/28 13:52:49 UTC
Running solr service with nologin solr user
We are running Solr 9.1 on RedHat Linux. My organization's security
requirements stipulate that all system accounts have a non-interactive
shell. When I set the 'solr' user to nologin, the solr service fails. Does
anyone have any recommendations on running solr with a nologin user?
--
Kirk Baker, PhD
President
Lexical Intelligence, LLC
202-643-3188
Re: Running solr service with nologin solr user
Posted by Gus Heck <gu...@gmail.com>.
Error message?
On Fri, Apr 28, 2023 at 9:53 AM Kirk Baker <
kirk.baker@lexicalintelligence.com> wrote:
> We are running Solr 9.1 on RedHat Linux. My organization's security
> requirements stipulate that all system accounts have a non-interactive
> shell. When I set the 'solr' user to nologin, the solr service fails. Does
> anyone have any recommendations on running solr with a nologin user?
> --
> Kirk Baker, PhD
> President
> Lexical Intelligence, LLC
> 202-643-3188
>
--
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)
Re: Running solr service with nologin solr user
Posted by Shawn Heisey <ap...@elyograg.org>.
On 4/28/23 07:52, Kirk Baker wrote:
> We are running Solr 9.1 on RedHat Linux. My organization's security
> requirements stipulate that all system accounts have a non-interactive
> shell. When I set the 'solr' user to nologin, the solr service fails. Does
> anyone have any recommendations on running solr with a nologin user?
Gus: The error message I saw was "This account is currently not available."
I found a workaround. Add "-s /bin/sh" to the su command in the init
script, which will most likely be /etc/init.d/solr unless you have
changed the service name. This is the new line ... the original is
found near the end of the script:
su -s /bin/sh -c "SOLR_INCLUDE=\"$SOLR_ENV\"
\"$SOLR_INSTALL_DIR/bin/solr\" $SOLR_CMD" - "$RUNAS"
I'm thinking we should add this to the codebase. The init script
shebang is "#!/bin/sh" so we are already assuming that this shell is
there ... which I do not think is a bad assumption. The shebang in the
solr script will find bash, so passing an explicit shell on the su
command that isn't bash will not interfere with that.
I also think that the service installer should find "nologin" and set
the solr user's shell to that, falling back to /bin/sh if it is not
found. We probably have examples in the ref guide of using su to run
bin/solr commands that will need updating with that change.
Thanks,
Shawn