Install Security Compliance Management as a non-root user

When necessary, you can install Security Compliance Management as a non-root user. After installing as a non-root user, the files are owned by the install user, not root.

Do not install Security Compliance Management on the same host where Puppet Enterprise is installed.
Before you begin:
Ensure that Podman and Puppet Agent are installed on the host machine. This may need to be done by a systems administrator if you do not have root access. Be sure to reboot the system installing Podman to ensure that all services are fully started for non-root use.
  1. Follow the installation instructions for a root install for Security Compliance Management. However, you need to use a different inventory.yaml file than shown there.
  2. Create an inventory.yaml file with the connection information for the host on which Security Compliance Management 3.x is to be installed. To install as a non-root user, the inventory.yaml file must include the path to the Puppet Ruby binary and Puppet Agent must be listed as a feature. For example, your non-root inventory.yaml file should look something like the following:
    Copy
    --- 
    targets: 
      - uri: <security-compliance-management-fqdn> 
        config:
          transport: ssh 
          ssh: 
            native-ssh: true
            host-key-check: false
            user: <username> 
            private-key: <path to SSH private key> 
            interpreters:  
             .rb: 
             - /opt/puppetlabs/puppet/bin/ruby 

        features: 
         - puppet-agent                
      - uri: <puppet-enterprise-fqdn> 
        config: 
          transport: ssh 
          ssh: 
            native-ssh: true
            host-key-check: false
            user: <username> 
            private-key: <path to SSH private key> 
            run-as: root
  3. On the host you are installing Security Compliance Management to, enable lingering user sessions so that application services remain running when the user session has terminated.
    Copy
    loginctl enable-linger <installation_username> 
  4. As with a typical installation, install Security Compliance Management on the target host using: bolt plan run complyadm::install.
  5. Select user as the install type to install Security Compliance Management as a non-root user. This installs the application under a specified user account.

    Only Podman is supported and must have already been installed. Puppet Agent must have also been installed.

  6. Enter the user name to install Security Compliance Management under. This user owns all files created by the install.
  7. Enter the group to install Security Compliance Management under. This group owns all files created by the install. This defaults to the user specified in the previous step.
  8. Enter the directory to install Security Compliance Management under. This is the path where the installation files are created.

  9. Enter the port used to access Security Compliance Management. You cannot use the default port 443, as it is a restricted port and can’t be bound to by an unprivileged user.

  10. Enter the systemd service file location for this user. This is where the systemd files are stored. By default this is within the user's home directory, but can also be placed in one of the following locations.

    • /usr/lib/systemd/user/ where units provided by installed packages belong.
    • ~/.local/share/systemd/user/ where units of packages that have been installed in the home directory belong.
    • /etc/systemd/user/ where system-wide user units are placed by the system administrator.
    • ~/.config/systemd/user/ where the user puts their own units.
  11. Continue following the typical installation for a root install.
Results
You can now log into the application at the resolvable hostname with the default username and password (comply:compliance). You are prompted to change the username and password when you first log in.
What to do next
Install the Security Compliance Management module.