Skip to content Skip to footer

Help Center

< All Topics
Print

System Configuration

This page describes changes that should be made to the configuration of the system where you are running an Oasis Node instance.

File Descriptor Limit

Make sure that the user under which you are running your Oasis Node has a high-enough file descriptor limit as the databases can have many files open and running out of file descriptors can lead to the node stopping unexpectedly.

You can check the file descriptor limit by running the following as the same user that will run Oasis Node:

ulimit -n

If this number is lower than 102400 you should consider increasing it by updating your system configuration. You can configure temporary limits by running:

ulimit -n 102400

Note that this limit only applies to any processes started from the same shell after the command was executed. If you want to make the change permanent, you have the following options.

System-wide Resource Limits Configuration File

As root, create a file in /etc/security/limits.d/99-oasis-node.conf with content similar to the following example:

*        soft    nofile    102400
* hard nofile 1048576

You can replace * with the name of the user that is running the Oasis Node in case you only want to change the limits for that particular user.

CAUTION

In order for the changes to take effect a system restart may be required.

Systemd Service Configuration

In case you are running your Oasis Node process via systemd, you can add the following directive under the [Service] section:

LimitNOFILE=102400

Docker

If you are running Oasis Node via Docker you can pass the following option to docker run in order to increase the limit to desired values:

--ulimit nofile=102400:1048576

Running Oasis Services with Non-root System User

CAUTION

Beginning with Oasis Core 22.1.x release series it is no longer allowed to run Oasis Node (i.e. the oasis-node binary) as root (effective user ID of 0).

Running network accessible services as the root user is extremely bad for system security as a general rule. While it would be “ok” if we could drop privileges, syscall.AllThreadsSyscall does not work if the binary uses cgo at all.

Nothing in Oasis Node will ever require elevated privileges. Attempting to run the oasis-node process as the root user will now terminate immediately on startup.

While there may be specific circumstances where it is safe to run network services with the effective user ID set to 0, the overwhelming majority of cases where this is done is a misconfiguration.

Changing Your Setup to Run Oasis Services with Non-root System User

INFO

In these examples, we change the setup to run Oasis Services (e.g. Oasis Node) with a non-root system user named oasis. These instructions also assume that the node’s datadir is /serverdir/node.

Adjust these as appropriate to your setup.

  1. Create the oasis system user:
  • Ubuntu
  • Fedora
  • Ansible

As root, run:

adduser --system oasis --shell /usr/sbin/nologin

TIP

Setting oasis user’s Shell to /usr/sbin/nologin prevents (accidentally) logging-in as this user.

  1. Stop your Oasis Node.
  2. Transfer ownership of the datadir to the oasis user:
chown -R oasis /serverdir/node

See Invalid Permissions troubleshooting guide for more information.

  1. Update how you run Oasis Node:
  • systemd
  • Docker
  • runit

Add a User directive to the Oasis service’s systemd unit file:

...
User=oasis
...

Below can be found a simple systemd unit file for oasis-node that can be used as a starting point.

[Unit]
Description=Oasis Node
After=network.target

[Service]
Type=simple
User=oasis
WorkingDirectory=/serverdir/node
ExecStart=/serverdir/bin/oasis-node --config /serverdir/etc/config.yml
Restart=on-failure
RestartSec=3
LimitNOFILE=1024000

[Install]
WantedBy=multi-user.target
  1. Start your Oasis Node.
Table of Contents