DietPi-Software | Node-RED: Run under nodered?

@TerryE

Hi,
can you please share with us:

cat /etc/debian_version

Extra details:
I will post my suggested workaround here when done.

Nice, thanks. We are excited.

can you please share with us: cat /etc/debian_version

8.0

This install was only done a few days ago.

@TerryE

Thanks for the information, confirmed we currently use root for this installation:
https://github.com/Fourdee/DietPi/blob/master/dietpi/dietpi-software#L9742-L9764

I Have two installations where I use node-red my main NAS server and a Kodi box. It was a simple task to add a node-red user and setup sudo on my NAS. However it can be very convenient to have node-red running under root as it does on my Kodi box where I use it to shutdown and reboot the system.

I would suggest having an option to have node-red run under either it's own user or root

However it can be very convenient to have node-red running under root as it does on my Kodi box where I use it to shutdown and reboot the system.

@DarkElvenAngel , you do not need to run Node red as root to do this, but you do need to learn how to use sudoers.

@Fourdee Dan, the DietPi installation sometimes uses a convention which isn't aligned to normal Linux practices. I've raised this as a separate issue #1297

@TerryE your exactly right I don't need to run as root I just never bothered to set my Kodi box to run as it's own user

@Fourdee I have already set up and run node-red as it's own user would there be a good place to post my setup?

@DarkElvenAngel

@Fourdee I have already set up and run node-red as it's own user would there be a good place to post my setup?

Thanks for the offer, by all means post if you are willing to share 👍

I'm attaching my setup for node-red that runs under it's own user. UPDATED
Stop node-red service

service node-red stop

Next edit the /etc/systemd/system/node-red.service change the User=root to User=node-red

nano /etc/systemd/system/node-red.service

```[Unit]
Description=Node-Red

[Service]
Type=simple
User=node-red
ExecStart=/usr/local/bin/node-red -u /mnt/dietpi_userdata/node-red

[Install]
WantedBy=multi-user.target

Created a user and group for node-red 
```addgroup --system --gid 155 node-red```
```adduser --system --home /mnt/dietpi_userdata/node-red --no-create-home --shell /bin/false --uid 155 --gid 155 node-redd```

Give the user node-red the ability to write to the it directory

chmod ug+rwx -R /mnt/dietpi_userdata/node-red
chown node-red:node-red -R /mnt/dietpi_userdata/node-red
```

Since we have change the service run
systemctl daemon-reload

Then we start node-red service with
service node-red start

Now node-red is running under the node-red user

If you want node-red to run commands with sudo we run
echo "node-red ALL=NOPASSWD: ALL" >> /etc/sudoers
and add user node-red to the sudo group
adduser node-red sudo

NOTES:
I've updated this post to conform to *nix Standard and to confirm that using node-red as a system user and group now work out of the box.

@TerryE for your application you can try using the www-data user but I haven't tested that. I know this setup works been running for 8+ months

@DarkElvenAngel, as a general principle you should use separate service accounts for separate services. That way you have the option of using UID / GID-based access control to isolate web apps from Node RED ones, etc. Such dynamically allocated service accounts are usually allocated in the 100-499 range⁽¹⁾, not 55 as you have used. :smile:

@TerryE I choose 55 because I need a static UID that is available on all nodes on the network. 55 is not used.

On FreeBSD, porters who need a UID for their package can pick a free one from the range 50 to 999 and then register the static allocation.

On FreeBSD, porters who need a UID for their package can pick a free one from the range 50 to ...

Sorry, I didn't realise that you used BSD, Even so, if you want this to apply this over other *nix platforms then it makes sense also to comply with the Linux Standard Base Core Specification.

@TerryE so I will update to UID:gid 155:155 and that should satisfy all requirements, yes? I've update my setup post. Thanks for the insight.

@Fourdee perhaps you can unlock #1297 so I can respond in the correct issue. Re logs, the services still log to the RAMdisk /var/log hierarchy. Dietpi optionally preserves these statically prior to shutdown. The correct place to do this is in the /var/lib/dietpi hierarchy, though there is no reason why this shouldn't optionally be symlinked to a node in another FS.

@Fourdee Dan, BTW I think that the title is wrong: it should be Run nodered under its own service account. There are good reasons why this should be separate from www-data.

@DarkElvenAngel, you typically don't statically allocated service account UIDs. I created my version by

adduser --system --group --no-create-home --shell=/bin/nologin nodered

NodeRed will run under user nodered in v160, thanks @TerryE 👍

Test install passed.
Completed.