Help Center
System Configuration
This page describes changes that should be made to the configuration of the system where you are running an Oasis Node instance.
File Descriptor Limit
Make sure that the user under which you are running your Oasis Node has a high-enough file descriptor limit as the databases can have many files open and running out of file descriptors can lead to the node stopping unexpectedly.
You can check the file descriptor limit by running the following as the same user that will run Oasis Node:
ulimit -n
If this number is lower than 102400 you should consider increasing it by updating your system configuration. You can configure temporary limits by running:
ulimit -n 102400
Note that this limit only applies to any processes started from the same shell after the command was executed. If you want to make the change permanent, you have the following options.
System-wide Resource Limits Configuration File
As root
, create a file in /etc/security/limits.d/99-oasis-node.conf
with content similar to the following example:
* soft nofile 102400
* hard nofile 1048576
You can replace *
with the name of the user that is running the Oasis Node in case you only want to change the limits for that particular user.
CAUTION
In order for the changes to take effect a system restart may be required.
Systemd Service Configuration
In case you are running your Oasis Node process via systemd, you can add the following directive under the [Service]
section:
LimitNOFILE=102400
Docker
If you are running Oasis Node via Docker you can pass the following option to docker run
in order to increase the limit to desired values:
--ulimit nofile=102400:1048576
Running Oasis Services with Non-root System User
CAUTION
Beginning with Oasis Core 22.1.x release series it is no longer allowed to run Oasis Node (i.e. the oasis-node
binary) as root (effective user ID of 0).
Running network accessible services as the root user is extremely bad for system security as a general rule. While it would be “ok” if we could drop privileges, syscall.AllThreadsSyscall
does not work if the binary uses cgo
at all.
Nothing in Oasis Node will ever require elevated privileges. Attempting to run the oasis-node
process as the root user will now terminate immediately on startup.
While there may be specific circumstances where it is safe to run network services with the effective user ID set to 0, the overwhelming majority of cases where this is done is a misconfiguration.
Changing Your Setup to Run Oasis Services with Non-root System User
INFO
In these examples, we change the setup to run Oasis Services (e.g. Oasis Node) with a non-root system user named oasis
. These instructions also assume that the node’s datadir is /serverdir/node
.
Adjust these as appropriate to your setup.
- Create the
oasis
system user:
- Ubuntu
- Fedora
- Ansible
As root, run:
adduser --system oasis --shell /usr/sbin/nologin
TIP
Setting oasis
user’s Shell to /usr/sbin/nologin
prevents (accidentally) logging-in as this user.
- Stop your Oasis Node.
- Transfer ownership of the datadir to the
oasis
user:
chown -R oasis /serverdir/node
See Invalid Permissions troubleshooting guide for more information.
- Update how you run Oasis Node:
- systemd
- Docker
- runit
Add a User
directive to the Oasis service’s systemd unit file:
...
User=oasis
...
Below can be found a simple systemd unit file for oasis-node
that can be used as a starting point.
[Unit]
Description=Oasis Node
After=network.target
[Service]
Type=simple
User=oasis
WorkingDirectory=/serverdir/node
ExecStart=/serverdir/bin/oasis-node --config /serverdir/etc/config.yml
Restart=on-failure
RestartSec=3
LimitNOFILE=1024000
[Install]
WantedBy=multi-user.target
- Start your Oasis Node.