Run Pepperdata as a Non-Root User (RPM/DEB)

If your organization requires that everything be run under the principle of least privilege (PoLP), you can run Pepperdata as a non-root user—a user who lacks root access to the cluster hosts. To change from the default root user to another user, stop the Pepperdata services, remove the default log directory, change the PD_USER variable in the Pepperdata configuration file, pepperdata-config.sh, and restart the Pepperdata services.

Important: Some I/O, CPU, and network metrics collection require privileged access. Therefore, when you run Pepperdata as a non-root user, Pepperdata is unable to collect the data that requires privileged access.

On This Page

Uncollected Metrics with a Non-Root User
Reconfigure the Pepperdata User

Uncollected Metrics with a Non-Root User

When you run Pepperdata as a non-root user, some I/O, CPU, and network metrics are not collected. The table lists the uncollected metrics by their display name in the dashboard and by the underlying metric name.

Display Name	Variable Name
cpu stat nice max	`t_rscpunmx`
cpu stat nice min	`t_rscpunmn`
File descriptor stat file descriptor count	`t_rscfdc`
I/O stat requested read bytes	`t_rsciorb`
I/O stat requested read syscalls	`t_rscioscr`
I/O stat requested syscall writes	`t_rscioscw`
I/O stat storage write bytes	`t_rsciowb`
I/O stat requested write bytes	`t_rsciowc`
socket stat number of sockets	`t_rscsss`

Reconfigure the Pepperdata User

The Pepperdata user is configured in the Pepperdata configuration file.

Procedure

Stop the Pepperdata services.
Ensure that the /var/log/pepperdata has the necessary access privileges for the new non-root user.
- If you have already been running Pepperdata as the root user, and you want to retain logging data ensure that there are no gaps in metrics coverage, change the log file’s privileges to enable access by the new, non-root user.
  
  Be sure to replace the new-pd-user placeholder with your actual user name.
  
  find /var/log/pepperdata -user root -exec chown new-pd-user {} \;
- If you are performing a new Pepperdata installation or you do not want to retain the logging data, remove the log file. When Pepperdata starts and this log file does not exist, it creates the file with the necessary privileges.
  
  rm /var/log/pepperdata
On any host in the cluster, open the Pepperdata configuration file, /etc/pepperdata/pepperdata-config.sh, for editing.
Find the PD_USER environment variable and change its value.

Be sure to replace the new-pd-user placeholder with your actual user name.

export PD_USER=new-pd-user
Save your changes and close the file.
On every host in the cluster, restart the PepCollector and PepAgent services.
1. Restart the Pepperdata Collector.
  
  You can use either the service (if provided by your OS) or systemctl command:
  - sudo service pepcollectd restart
  - sudo systemctl restart pepcollectd
1. Restart the PepAgent.
  
  You can use either the service (if provided by your OS) or systemctl command:
  - sudo service pepagentd restart
  - sudo systemctl restart pepagentd