Install a Node - User and File Structure

I need more clarification on who user does what for my use case. Install a node - Algorand Developer Portal

When installing algorand node, the main folder is /var/lib/algorand, which has systemctl commands to start stop node.

There are 3 facts when install a node. Trying to state facts first to make this question easy to ask and give context of my confusion.

Facts

1. Always run node as user algorand. That’s why there are commands as
   (sudo -u algorand -E goal account listpartkey -d /var/lib/algorand)
2. The node is installed and is run from dir /var/lib/algorand
3. Never run node as user root. See fact 1, use -u algorand as arg

Confusion
Well, if I run node as algorand user, how do I login to algorand user? What is the password to algorand user? How do I change the password for user algorand? What is command to switch user from root to algorand at terminal?

My Workaround
Therefore, I decided to create user algodev and run node from /home/algodev/node/

Start and run node as algodev and disable algorand user (sudo systemctl disable algorand.service) because algorand user would start node, I would have algodev start node and it would freeze with top over cpu / memory usage because 2 different users trying to run node is not good. This was before I disabled algorand user. So, I think, I created more problems with node updates and restarts pushed by blockchain to my node. Let’s leave this issue out for now in question, as it maybe created problems but got me further along.

So by having algodev user gave me ability to run my scripts under node in dir testnetdata (/home/algodev/node/testnetdata) and plan to have (/home/algodev/node/prodnetdata) once I roll over to production. I hardcode all -d references in all goal scripts (goal -d /home/algodev/node/testnetdata).

Reasons I use this approach is scripts all use same goal in same dir giving me ability for use of back folder (…/) and forward folder (/nextfolder) functionality and is easy to understand. No need to think about switching from user -u algorand with goal and trying to run scripts as algodev user and permissions changing files, etc.

Please give advice on how I can have my solution of scripts next to goal commands all inside node folder AND, most important part, all with same user. I assume algorand user is what I should be using, but I use algodev.

And if I have some validity to my confusion, could we add a paragraph in the Install a Node doc to clarify. Thanks.

You can do it using sudo:

sudo -u algorand -E -s

Note that you can configure sudo so that it allows your user to pretend to be the algorand user but not pretend to be root. You can also configure sudo so that in the later case no password is asked.
See How To Edit the Sudoers File | DigitalOcean and Sudoers Manual | Sudo for details

I would strongly recommend using sudo instead of using a password.

That being said, you should be able to set the password of the algorand account using sudo passwd algorand. You may need to take further action to unlock the account and set a shell (How To Use passwd Command on Linux with Examples)

See above sudo.

It is also fine to use algodev user.
What error did you encounter?
I think updating the Algorand software should not create issues when using this algodev solution.
But you may want however to disable completely the systemctl of Algorand, so that it does not start automatically.

sudo systemctl disable algorand

Nice! The algorand user is more of a “root permissioned user” with $HOME of /var/lib/algorand and with env variables ($ALGORAND_DATA and $PATH) set in /var/lib/algorand/.bashrc file makes file structure easy.

sudo -u algorand -E -s

Agree to not change algorand user password.

Separating out the errors from this topic. Will retry node and see if errors happen again.

More importantly, comparing user algorand to new user I created algodev I want to make sure I don’t open up any security issues.

The only difference in the /etc/group is I have user algodev also as part of the sudo group.

Should I remove algodev from sudo group to be same as algorand user?

This would require me to change my scripts to have prefix of “sudo -u algodev” before goal commands.

Just trying to make sure this approach of algodev user is okay for security reasons. I’m okay with linux… but not an expert when it comes to user / group / services permissions. Your advice would be greatly appreciated.

if you have not created algorand user, just create one

useradd -ms /bin/bash algo

i have created non root docker images to run algorand software… this is how i do it: https://github.com/scholtz/AlgorandNodes/blob/64f098da99a6aff74dcf5a32ed4e90ba1e2f105b/docker/compose-relaynode-official.dockerfile#L16

If you run in linux and you are root or have sudo rights, just do

sudo passwd algo

to set the password

from root

su algo

from another sudo user

sudo su algo

• i assume your user is called algo

Btw, for everybody … i believe people should learn how to use kubernetes… orchestration over the docker images… Docker image is set of files to be run, and k8s sets the limits of cpu and memory to be used. It has tools to make deployments with zero downtime. Its really simple. Every major cloud provider provides k8s.

This seems dangerous: accounts running services should normally not have sudo power.
Indeed, if there is a bug on the Algorand software, you don’t want to allow escalation to root power.

You can also just use an alias:

alias goal="sudo -u algodev -E goal"

in the .bashrc/.zshrc

I removed algodev user from sudo group.

The alias is useful for updating scripts.

With your help, thank you in advance, I think I found the best solution for my use case which separates algorand user for node from algodev user for scripts.

Step 1. Use algod service as user algorand. This allows for command calls at root prompt to kickoff algod service as user algorand

As root user:

sudo systemctl start algorand
sudo systemctl stop algorand
sudo systemctl status algorand

Step 2. Changed working directory of algod service to /var/lib/algorand/node/testnetdata for testnet and will eventually change to /var/lib/algorand/node/data for production in service file. Then reload service configuration.

As root user:

vi /lib/systemd/system/algorand.service
[Service]
ExecStart=/usr/bin/algod -d /var/lib/algorand/node/testnetdata

systemctl daemon-reload

Step 3. Add algodevuser permissions file to /etc/sudoers.d/ with:

As root user:

sudo visudo -f /etc/sudoers.d/algodevuser

algodev ALL=(algorand:algorand) NOPASSWD:ALL

Step 4. Start the node with systemctl as root, do a top, and then test as algodev user a goal call from algorand user.

su -l algodev

sudo -u algorand -E goal -d /var/lib/algorand/node/testnetdata account info --address walletaddress

goal is looked up by the $PATH and in /usr/bin/goal and called as algorand user.

Hope the above makes sense, just in Step 3 - could you confirm the visudo permissions are right for giving user algodev permissions to run as algorand?

Note that you can configure sudo so that it allows your user to pretend to be the algorand user but not pretend to be root . You can also configure sudo so that in the later case no password is asked.

This looks good to me.

algodev ALL=(algorand:algorand) NOPASSWD:ALL