Installing as a Nonroot User
When installing InterSystems IRIS in a production environment, InterSystems recommends using root privileges. It is possible to run an InterSystems IRIS installation without root privilege, but these installations have several limitations. The following sections describe these limitations and the differences from a standard InterSystems IRIS installation.
Root privilege should only be used when installing InterSystems IRIS. Once the installation is complete, all users should interact with InterSystems IRIS using nonroot privileges.
Why InterSystems IRIS Installation Uses Root
InterSystems IRIS is typically installed using root and operated using nonroot privileges. Several features require root access, but the majority of processes run as a user or group that you specify during installation. The purpose of these users and groups, and how they use root, is described in UNIX Users, Groups, and Permissions.
InterSystems IRIS processes that utilize root privileges include:
-
The Virtual IP process, which has root as its effective user ID (UID) to modify network settings on the operating system.
-
The Control Process, which has the instance owner as its effective UID and root as its real UID. The real UID is used to get large pages at startup and to communicate with other InterSystems IRIS processes.
-
The startup executables, which have root as the effective UID.
Installing InterSystems IRIS as root also enhances security by ensuring that only users with root privileges can modify or replace the file structure.
Nonroot Installation Limitations
While nonroot installations of InterSystems IRIS are supported, there are several features that cannot be used in instances installed in this way:
-
The installation mount point cannot be mounted with nosuid set.
-
The Web Gateway cannot be configured to use an external web server.
-
A mirror Virtual IP cannot be used.
Note:For alternative methods of routing network traffic, such as using a network load balancer or the Web Gateway, see Redirecting Application Connections Following Failover or Disaster Recovery.
-
There is no option to specify the instance owner and group allowed to start and stop InterSystems IRIS during installation (as described in Determining Owners and Groups).
-
There is no group access. All instance files, including the registry, are owned and can be read, written, and executed by the installing user only.
For example, where a standard instance might have:
-rws--x--- 5 root develop 43282 Aug 28 07:52 irismgr -r-x--s--x 1 <nonroot-user> irisusr 23058 Aug 28 07:52 irisuxsession
a nonroot instance would have:
-rwx------ 5 <installing-user> develop 43282 Aug 28 07:52 irismgr -r-x------ 1 <installing-user> develop 23058 Aug 28 07:52 irisuxsession
The registry is located in the directory specified by IRISSYS, and nonroot instances are found in that registry. (The iris executable is also in that directory.) Only nonroot instances may be in the nonroot registry. Any attempt to access a root-installed instance from a nonroot registry fails. Conversely, a nonroot instance may be defined in a root-registry, but an attempt to access the instance by any user other than the owner fails.
InterSystems recommends that the registry be placed in a directory that is local to the machine on which the instance is installed, not an NFS directory. Note that the standard location /usr/local/etc is such a directory.
Nonroot Installation Differences
Along with the feature limitations described above, there are several apparent differences between root and nonroot InterSystems IRIS installations:
-
The IRISSYS environment variable must be defined as an existing directory writable by the installing user, and must be present during installation and all instance operations.
-
The ISCAgent is installed in the directory specified by IRISSYS.
Note:For information about starting the ISCAgent for a nonroot instance, see Starting the ISCAgent for Nonroot Instances on UNIX®/Linux and macOS Systems in the “Mirroring” chapter of the High Availability Guide.
-
Only the installing user’s account can access and operate the InterSystems IRIS instance.
-
All InterSystems IRIS executables and processes run as the installing user.