You can configure the Octopus Tentacle to run under a user that does not have sudo permission. Parts of the installation and configuration are still required to run with a user with sudo access. The commands below show how to set this up on RHEL 8.
As sudo user, if not already created, create the user that the Tentacle service will run under:
sudo useradd octoserviceuser
sudo passwd octoserviceuser
Install the Octopus Tentacle:
sudo wget https://rpm.octopus.com/tentacle.repo -O /etc/yum.repos.d/tentacle.repo
sudo yum install tentacle
Now run the following as the new service user, in this case octoserviceuser:
mkdir /home/octoserviceuser/Octopus
The sudo user should now create a symlink to the new directory:
sudo ln -s /home/octoserviceuser/Octopus /etc/Octopus
if you want to run multiple tentacles as different users then this directory and symlink should be changed to use a generic location so that multiple users can access it.
Next, as octoserviceuser, create the Tentacle instance, set up the certificate, and configure:
/opt/octopus/tentacle/Tentacle create-instance --instance "Tentacle" --config "/etc/octopus/config/Tentacle/tentacle-Tentacle.config"
/opt/octopus/tentacle/Tentacle new-certificate --instance "Tentacle" --if-blank
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --app "/etc/octopus/applications" --port 10933 --noListen False --reset-trust
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --trust E9249E133733A2A24611AE113B61674B2219C1F5
Finally, as the sudo user, set the service to run under the “octoserviceuser” account:
sudo /opt/octopus/tentacle/Tentacle service --install --user="octoserviceuser" --start --instance "Tentacle"
To check that the config is set to use “octoserviceuser”, you can check the service config:
nano /etc/systemd/system/Tentacle.service
Here, you can see the User is set to “octoserviceuser”:
[Unit]
Description=Octopus Deploy: Tentacle deployment agent
After=network.target
[Service]
Type=simple
User=octoserviceuser
ExecStart=/opt/octopus/tentacle/Tentacle run --instance=Tentacle --noninteractive
Restart=always
[Install]
WantedBy=multi-user.target
And you can check that the process is running under the correct user:
[azureuser@myrhel ~]$ ps -u octoserviceuser
PID TTY TIME CMD
1849 pts/1 00:00:00 bash
1996 ? 00:00:03 Tentacle
Note, the new-certificate command, shown above, must be executed as the “octoserviceuser” user to ensure they have access to the certificate, which is located in the following location:
[octoserviceuser@myrhel ~]$ ls /home/octoserviceuser/.dotnet/corefx/cryptography/x509stores/my/ -la
total 4
drwxr-xr-x. 2 octoserviceuser octoserviceuser 58 Apr 9 14:33 .
drwxr-xr-x. 3 octoserviceuser octoserviceuser 16 Apr 9 14:33 ..
-rw-------. 1 octoserviceuser octoserviceuser 2357 Apr 9 14:33 2245D95AB7A0BF26F729AF26ED323746D1D0EEDF.pfx
Please note that the user that the Tentacle service runs under must have access to all resources that you are deploying to.