How to Run Supervisord as Non-Root User: Solving Permission and Daemonization Issues


11 views

When attempting to run supervisord as a non-root user, you'll typically encounter two critical errors:

2010-05-24 08:53:32,143 CRIT Set uid to user 1000
2010-05-24 08:52:15,761 CRIT Can't drop privilege as nonroot user

These messages indicate fundamental permission and daemonization challenges that need addressing.

First, modify your supervisord.conf with these key settings:

[supervisord]
user=jason
nodaemon=false
logfile=/var/log/supervisord.log
pidfile=/var/run/supervisord.pid

[unix_http_server]
file=/tmp/supervisor.sock
chmod=0770
chown=jason:jason

Ensure proper ownership and permissions for critical files:

sudo chown jason:jason /tmp/supervisor.sock
sudo chmod 770 /tmp/supervisor.sock
mkdir -p /var/log/supervisor
chown jason:jason /var/log/supervisor

Try these approaches to launch supervisord without root:

Method 1: Direct execution with custom paths

supervisord -c /path/to/supervisord.conf \
  --pidfile=/home/jason/supervisord.pid \
  --logfile=/home/jason/supervisord.log

Method 2: Systemd user service (modern Linux systems)

# ~/.config/systemd/user/supervisord.service
[Unit]
Description=Supervisor process control system
After=network.target

[Service]
ExecStart=/usr/bin/supervisord -n -c /etc/supervisord.conf
ExecStop=/usr/bin/supervisorctl shutdown
Restart=on-failure
Environment=HOME=/home/jason

[Install]
WantedBy=default.target

If you still encounter problems, check these aspects:

  1. The user must own all log directories specified in configs
  2. Remove any existing pid files before restarting
  3. Verify socket file permissions after startup
  4. Check SELinux/AppArmor if running on secured systems

Here's a complete working configuration for non-root operation:

[unix_http_server]
file=/home/jason/run/supervisor.sock
chmod=0700
chown=jason:jason

[supervisord]
user=jason
directory=/home/jason
logfile=/home/jason/logs/supervisord.log
pidfile=/home/jason/run/supervisord.pid
nodaemon=false

[program:myapp]
command=/home/jason/bin/myapp
user=jason
autostart=true
autorestart=true
stdout_logfile=/home/jason/logs/myapp.log
stderr_logfile=/home/jason/logs/myapp.err

When attempting to run Supervisord without root privileges, we encounter several critical permission-related errors. The key messages in your logs reveal:

2010-05-24 08:53:32,143 CRIT Set uid to user 1000
2010-05-24 08:52:15,761 CRIT Can't drop privilege as nonroot user

This indicates Supervisor is struggling with user context switching. Unlike many daemons, Supervisor has specific requirements when running as non-root.

Your current configuration needs these critical modifications:

[unix_http_server]
file=/home/jason/supervisor/supervisor.sock  ; User-writable path
chmod=0700                                   ; Secure socket permissions
;chown=jason:jason                          ; Uncomment if using group permissions

[supervisord]
user=jason                                   ; Should match executing user
directory=/home/jason                        ; Absolute path required
pidfile=/home/jason/supervisor/supervisord.pid
logfile=/home/jason/supervisor/supervisord.log

Create a dedicated directory structure with proper permissions:

mkdir -p ~/supervisor/childlogs
chmod 750 ~/supervisor
touch ~/supervisor/supervisord.log
chmod 640 ~/supervisor/supervisord.log

For your Celery configuration, ensure all paths are absolute and writable:

[program:celery]
directory=/home/jason/src/tsched  ; Absolute path required
stdout_logfile=/home/jason/logs/celeryd.log
stderr_logfile=/home/jason/logs/celeryd.log

Instead of using sudo, launch with:

supervisord -c /home/jason/supervisor/supervisord.conf

For debugging, run in foreground first:

supervisord -n -c /path/to/config

1. Socket Permission Issues:
The unix_http_server socket must be in a user-writable location. /tmp/ often causes permission problems.

2. Environment Variables:
Ensure critical env vars (like ORACLE_HOME in your case) are properly set in the shell before launching Supervisor.

3. Log File Rotation:
Non-root users often can't write to /var/log. Either configure logrotate for user logs or use home directory paths.

Here's a more robust supervisor.conf for non-root operation:

[unix_http_server]
file=/home/jason/.supervisor/sock
chmod=0700

[supervisord]
nodaemon=false
user=jason
directory=/home/jason
environment=HOME="/home/jason",USER="jason",PATH="/usr/local/bin:/usr/bin:/bin"
pidfile=/home/jason/.supervisor/pid
logfile=/home/jason/.supervisor/log
logfile_maxbytes=50MB
logfile_backups=5

[include]
files=/home/jason/.supervisor/conf.d/*.conf