Running Faspex 5 as non-root on systems with Podman runtime

Run Faspex 5 as a non-root user for enhanced security and resource efficiency.

Attention: Steps one through seven must be performed as the root user.
  1. Install Faspex 5 following the instructions in the Installation and upgrades section.
  2. Create a non-root user to run Faspex 5, for example newuser:
    useradd -m newuser
  3. Change ownership to the newly created non-root user:
    chown -R newuser:newuser /opt/aspera/faspex
  4. Disable Podman in the context of the root user:
    systemctl disable --now podman podman.socket
  5. Set a password for the non-root user for SSH access:
    passwd newuser
  6. Enable linger for the non-root user. This will make Faspex 5 startup after rebooting:
    loginctl enable-linger newuser
  7. Give the non-root user sudo permissions, add the following to the visudo file: 
    %newuser ALL= NOPASSWD: /bin/systemctl enable --now --user podman podman.socket
%newuser ALL= NOPASSWD: /bin/systemctl disable podman.socket
%newuser ALL= NOPASSWD: /bin/systemctl restart podman.socket

%newuser ALL= NOPASSWD: /bin/systemctl enable faspexctl.service
%newuser ALL= NOPASSWD: /bin/systemctl start faspexctl.service
%newuser ALL= NOPASSWD: /bin/systemctl restart faspexctl.service
    Attention: Steps eight through 14 must be performed by the new non-root user. You must connect through an SSH session for security reasons, rather than just switching to a non-root user using the su command.
  8. SSH as the new non-root user:
    ssh newuser@FQDN/IP_ADDR
  9. Enable Podman as the new non-root user:
    systemctl enable --now --user podman podman.socket
  10. Add the UID of the non-root user to the DOCKER_HOST unix socket.
    echo "export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock" >> ~/.bashrc
  11. Reload the bashrc file:
    . ~/.bashrc
  12. Edit the /opt/aspera/faspex/conf/docker/router.env file. The http and https ports must be higher than 1024 (low number ports are reserved for root users). For example, you could use 8085 and 7443. Make sure the ports you choose are not already bound to some other service.
  13. Run faspexctl setup. When you receive the ip prompt enter the IP address or FQDN.
    $IP_ADDR or $FQDN:$CUSTOM_HTTPS_PORT
  14. Confirm that services are run as the new non-root user:
    ps aux | grep aspera