Installing UFM as an Un-Privileged User
In certain scenarios, you may need to install UFM as an unprivileged user, meaning without full root access. This is useful for environments where user permissions are restricted or when running UFM within a containerized setup. UFM-Enterprise supports this type of installation with a straightforward procedure that involves a one-time root-level preparation and automation script for easy setup.
The following guidelines apply to environments using Podman (not supported with Docker) and have been tested on Oracle Linux 8.10 with Podman version 4.9.4.
/dev/infiniband/umadX
device(s) should be accessible for the required user.The Podman socket needs to have permissions for the specified user. This is achieved by adding a
podman-ufm.socket
andpodman-ufm.service
with the required user permissions.The UFM-Enterprise systemd unit file should contain User and Group indications.
UFM uses port
443
by default, when running as an un-privileged user the port needs to be changed to be higher than 1024 (<1024 is privileged port range in the Linux Kernel) port 8443 will be used.A
ufmadm
user should be added with uid 733 and home directory path set to /opt/ufm , this is the user that UFM container will be running with.NOTE - the username and uid can be changed in case it is needed just need to make sure that in HA the uid and username is the same on all the servers in the cluster.
NOTE - /opt/ufm must be used as the install path and user's home directory.
To install UFM-Enterprise as an unprivileged user, a one-time setup as the root user is required. You can automate this process using the deploy_rootless_ufm.sh
script.
The deploy_rootless_ufm.sh
script supports the following options:
Flag | Description |
| Installs the UFM container as an unprivileged user (default option). |
| Removes UFM and all related configurations from the host. |
| Upgrade UFM. |
| Specifies the IB fabric interface name (default: ib0), optional used only with --install flag. |
| Specifies the management interface name (default: the default route interface or eth0 if not found), optional used only with --install flag. |
| Directory on the host containing the SSL certificate and key (optional). |
| Specifies the username for the unprivileged UFM user. If the user does not exist, it will be created locally (default: "ufmapp"), optional used only with --install flag. |
| Specifies the user UID (default: 733), optional used only with --install flag. |
| Specifies the group name for the unprivileged UFM user. If the group does not exist, it will be created locally (default: "ufmapp"), optional used only with --install flag. |
| Specifies the group GID (default: 733), optional used only with --install flag. |
| Skips the user creation/removal during installation/uninstallation, optional. |
Note: All flags are optional and default values will be used if none are specified. If no flags are provided, the script will proceed with installation using default settings.
Examples:
Install with default values:
deploy_rootless_ufm.sh
Install with custom values:
deploy_rootless_ufm.sh --install --user <user_name> --uid <uid> --group <group_name> --gid <gid> --ib-
interface
ib0 --mgmt-interface
eno1 --local-certs-dir /opt/ufm/local_certsUninstall:
deploy_rootless_ufm.sh --uninstall
Upgrade:
deploy_rootless_ufm.sh --upgrade