Connect Server User

The Posit Connect server runs as the privileged user root in most installations. The product installation defaults assume Connect runs as the root user. This configuration lets Connect manage files and run processes for multiple Unix users.

Some organizations have strict security requirements that prohibit the deployment of applications which require root. Most environments do not have this restriction and use root to run Connect.

You may be able to run Connect as an unprivileged user if your environment does not need to use multiple Unix users. This configuration prevents the use of some features.

You must run Connect as root if you use PAM authentication, current-user execution (enabled using the Applications.RunAsCurrentUser setting), or customize the run_as user for deployed content.

Only environments which use off-host execution with Kubernetes are currently capable of running Connect as an unprivileged user. Future product updates may allow additional Connect configurations to run as an unprivileged user.

Requirements

The following configuration must be in place in order for Connect to run as an unprivileged user:

• Launcher.Enabled and Launcher.Kubernetes must be enabled.
• Authentication.Provider cannot be “PAM”.
• Applications.RunAsCurrentUser cannot be enabled.
• Applications.RunAsEnabled cannot be enabled and is automatically disabled when Connect runs as an unprivileged user.
• The Applications.RunAs Unix user must mirror the user running the Connect process.
• The Applications.SharedRunAsUnixGroup Unix group must mirror the primary group of the user running the Connect process. The default empty value is acceptable and will be populated automatically.
• The Metrics.User must mirror Applications.RunAs. The default empty value is acceptable and will be populated automatically.
• The Launcher.User Unix user must mirror the user running the Connect process. The default empty value is acceptable and will be populated automatically.
• The Launcher.Group Unix group must mirror the primary group of the user running the Connect process. The default empty value is acceptable and will be populated automatically.

The Helm configuration example shows one way to meet these requirements.

File ownership and permissions

This section describes the settings and locations which are essential to adjust when Connect is run by an unprivileged user. It does not enumerate every setting which identifies a file system location. Any configuration setting which specifies a file or directory path must be available to the Unix user running the Connect process.

The migration section provides guidance when migrating to a rootless configuration from one which previously used root.

Data directories

The Connect data directory must be owned by the Unix user running the Connect process. This location is defined by Server.DataDir setting and has a default location of /var/lib/rstudio-connect.

The Connect configuration file, which is typically installed into /etc/rstudio-connect/rstudio-connect.gcfg must be readable by the Unix user running the Connect process.

The Connect launcher configuration directory must be owned by the Unix user running the Connect process. This location is controlled by the Launcher.ConfigDir setting with a default location of /etc/rstudio-connect/launcher.

The Connect launcher scratch directory must be owned by the Unix user running the Connect process. This location is controlled by the Launcher.ScratchPath setting with a default location of /var/lib/rstudio-connect-launcher.

Licensing

License files must be installed beneath /var/lib/rstudio-connect and readable by the Unix user running the Connect process.

sudo chown rstudio-connect <license-file>.lic
sudo chmod 0600 <license-file>.lic
sudo cp -a <license-file.lic> /var/lib/rstudio-connect/

License keys are only supported when Connect is run by the root user.

The rstudio/rstudio-connect image installs the license file into the expected location.

Logging

The Connect service log must target STDOUT, STDERR, or a file path that can be written by the Unix user running the Connect process.

When the Connect audit and access logs are enabled, they must target a file path that can be written by the Unix user running the Connect process.

The Connect Helm chart logging configuration sends the service log and access log to STDOUT, while the audit log is disabled.

Example

The following values.yaml file shows a way to configure the Connect Helm chart to run the Connect server as the rstudio-connect user (having uid:gid 999:999 in the container).

Use the off-host execution installation instructions for additional information about running Connect in Kubernetes.

This example uses a host mount for shared storage, but this type of volume is not required. The two emptyDir volumes ensure that their mounted locations are writable by the rstudio-connect user.

Configure a PostgreSQL database connection before using this example in your environment.

pod:
  securityContext:
    runAsUser: 999
    runAsGroup: 999
    fsGroup: 999
    runAsNonRoot: true

  volumeMounts:
    - mountPath: /etc/rstudio-connect/launcher
      name: launcher-configuration
    - mountPath: /var/lib/rstudio-connect-launcher
      name: launcher-data
    - mountPath: /var/lib/rstudio-connect
      name: connect-data
  volumes:
    - name: launcher-configuration
      emptyDir:
        sizeLimit: 50Mi
    - name: launcher-data
      emptyDir:
        sizeLimit: 100Mi
    - name: connect-data
      hostPath:
        path: /volumes/connect-data-prod
        type: Directory

sharedStorage:
  create: false
  mount: false
  mountContent: false
  path: /var/lib/rstudio-connect
  name: connect-data

launcher:
  enabled: true
  useTemplates: true

config:
  Launcher:
    DataDir: /volumes/connect-data-prod
  Logging:
    ServiceLog: STDOUT
    ServiceLogLevel: INFO
    ServiceLogFormat: TEXT
    AccessLog: STDOUT
    AccessLogFormat: COMMON

Migration

If your configuration previously ran Connect as root, you need to adjust the permissions of the Connect variable data.

When Connect is run by the rstudio-connect user, the Connect data volume is fully owned by the rstudio-connect:rstudio-connect user. When Connect runs as root, some of the Connect variable data is owned by root and other data is owned by one or more Unix users.

Run the following command against your data volume. You must not take this action while any Connect instance is actively using the data volume.

sudo chown -R 999:999 /volumes/connect-data-prod

This example command uses uid:gid 999:999, as that corresponds to the rstudio-connect user and group within the container image. Use an appropriate uid:gid combination for your environment.