Install non-root *nix agents

To configure a *nix agent node to run without root privileges, a root user must install the agent, configure non-root access to the primary server, and set up non-root users on the primary server and relevant agent nodes.

Before you begin:
Install the agent on each node you want to operate without root privileges. You can Install agents with the install script, Install agents from the console, or use one of the other methods to Install *nix agents.

Unless specified otherwise, perform these steps as a root user or with sudo.

Log in to the agent node and run this command to add the non-root user:
```
sudo puppet resource user <UNIQUE_NON-ROOT_USERNAME> ensure=present managehome=true
```
Each non-root user must have a unique name.
Set the non-root user password. On most *nix systems, you can use passwd <USERNAME> to do this.
Because the puppet service runs as an administrator by default, you must disable it. To stop the puppet service run:
```
sudo puppet resource service puppet ensure=stopped enable=false
```
Disable the Puppet Execution Protocol (PXP) agent.
1. In the console, click Node groups, and in the PEInfrastructure group, select the PE Agent group.
2. On the Classes tab, select the puppet_enterprise::profile::agent class.
3. Set the pxp_enabled parameter to false.
4. Click Add parameter and commit changes.
Switch to the non-root user.
If you use su - <NON-ROOT USERNAME> to switch accounts, use the - argument (or -l, in some Unix variants) to correctly grant full login privileges. Otherwise you might get permission denied errors when trying to apply a catalog.
As the non-root user, run this command to generate a CSR:
```
sudo puppet agent -t --certname "<UNIQUE_NON-ROOT_USERNAME.HOSTNAME>" --server "<PRIMARY_HOSTNAME>"
```
Make sure to format the certname string correctly by combining the non-root user's username and the hostname with a period between.
On the primary server or in the PE console, approve the CSR.
On the agent node as the non-root user, run these three commands to set the node's certname, set the primary server's hostname, and run Puppet:
```
sudo puppet config set certname <UNIQUE_NON-ROOT-USERNAME.HOSTNAME> --section agent
sudo puppet config set server <PRIMARY_HOSTNAME> --section agent
sudo puppet agent -t
```
The certname and hostname are defined in the node's puppet.conf file.

Results
The configuration specified in the catalog is applied to the agent node.

What to do next

If you see Facter facts being created in the non-root user’s home directory, you have successfully configured a functional non-root agent. To confirm the non-root agent's configuration, verify that:

The agent can request certificates and apply the catalog from the primary server when a non-root user runs Puppet. As a non-root user, try running puppet agent -t to test this.
The agent service is not running. Run service puppet status to check this.
Non-root users can collect existing facts by running facter on the agent.
Non-root users can define new external facts.

Related information

Declare classes