Nemo Documentation

Appearance

Introduction

By default, when Nemo is deployed, certain processes, such as the watchdog process, run with root privileges. However, processes spawned by the watchdog can be configured to run under a less-privileged user account, typically nemo.

Additionally, it is possible to run all Nemo processes, including the watchdog process, under a specific non-privileged user. This can be achieved by utilizing a user systemd instance.

INFO

To run Nemo as a non-privileged user, version 5.1 or later is required. However, for probe deployments, running Nemo as a non-root user is not supported due to the low-level network interface requirements.

The purpose of this document is to outline the steps required to run Nemo as an unprivileged user. The content is organized into two chapters:

  1. Initial Setup:
    Steps to prepare the system for running Nemo as a non-root user. These steps need to be performed only once.

  2. Upgrade Procedure:
    Steps to follow whenever the application is upgraded.

WARNING

Integration with external systems, such as SFTP-based reception of CDR files, is beyond the scope of this document. However, it is essential to ensure that any files to be processed by Nemo are accessible to the unprivileged user configured to run Nemo.

Initial Setup

After deploying Nemo on a server using the Installation Guide and starting it as root, follow the procedure below to configure the application to run as an unprivileged user.

INFO

The examples provided assume the unprivileged user is webadmin. If a different user is to be used, adjust the commands accordingly by replacing webadmin with the appropriate username.

As root, add the user webadmin to the nemo group. If necessary, also add webadmin to any other groups required to ensure proper integration with external and third-party systems (e.g. mongod).

/usr/sbin/usermod -G nemo -a webadmin

As root, stop Nemo and disable the automatic start:

systemctl stop nemo
systemctl disable nemo

As root, change ownership of log files, application files and CDR files to webadmin:

chown -R webadmin /var/log/nemo
chown -R webadmin /opt/nemo
chown -R /data/cdr

As root, move the crontab file to a backup location under the webadmin user:

mv /etc/cron.d/nemo ~webadmin/nemo.crontab_backup

As webadmin user, copy the Nemo systemctl service file to the systemd user instance location:

cp /etc/systemd/system/nemo.service ~/.config/systemd/user/

As webadmin user, edit this file to ensure that the User=root line is removed. The edited file should contain:

[Unit]
Description=Nemo

[Service]
ExecStart=/opt/nemo/bin/nemo-watchdog
Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target

As webadmin user, reload the systemd user instance daemon:

systemctl --user daemon-reload

As webadmin user, start Nemo and enable the automatic start:

systemctl --user start nemo
systemctl --user enable nemo

As webadmin user, verify that the service is running correctly (the process list may vary depending on your deployment):

systemctl --user status nemo
* nemo.service - Nemo
   Loaded: loaded (/home/webadmin/.config/systemd/user/nemo.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2025-01-12 11:41:15 CET; 1h 20min ago
 Main PID: 391015 (nemo-watchdog)
   CGroup: /user.slice/user-1001.slice/user@1001.service/nemo.service
           |-391015 /opt/nemo/bin/python /opt/nemo/bin/nemo-watchdog
           |-391016 /opt/nemo/bin/python /opt/nemo/bin/nemo-broadworks-cdr-csv-collector
           |-391017 /opt/nemo/bin/python /opt/nemo/bin/nemo-gui
           |-391018 /opt/nemo/bin/python /opt/nemo/bin/nemo-rest
           |-469491 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 1 4 broadsoft
           |-469587 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 0 4 broadsoft
           |-469588 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 2 4 broadsoft
           |-470657 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 3 4 broadsoft
           `-470658 /opt/nemo/bin/python /opt/nemo/bin/nemo-health-monitor

Edit the user’s crontab file using the command crontab -e, and copy the entries from ~/nemo.crontab_backup, omitting the user column. Below is an example of a crontab file (note that the content may vary depending on your deployment):

#Ensure that stats are automatically enabled for all Service Providers
*/5 * * * *     mongo --eval 'db.getCollection("bw_service_providers").update({},{ $set: {"stats": true, "statsPerGroups": true }}, false, true);' nemo
0 1 * * *       /opt/nemo/scripts/nemo-backup-cdr

Upgrade Procedure

Upgrading the Nemo application requires an administrator with root access (or access via sudo) to complete the steps outlined in this chapter for each upgrade. Once these steps are completed, root access will no longer be needed, and the unprivileged user can be used for regular day-to-day operations.

The upgrade procedure is detailed in the Nemo Release Notes document corresponding to your installed release. Unless otherwise specified, the upgrade typically involves updating the RPM package using the rpm tool.

As root, upgrade the Nemo package:

rpm -Uvh nemo-package.rpm

As root, change ownership of application files to the unprivileged user:

chown -R webadmin /opt/nemo

As webadmin user, restart the Nemo application:

systemctl --user restart nemo

As webadmin user, verify that the service is running correctly (the process list may vary depending on your deployment) and that the uptime matches the restart time:

systemctl --user status nemo
* nemo.service - Nemo
   Loaded: loaded (/home/webadmin/.config/systemd/user/nemo.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2025-01-12 13:11:08 CET; 3s ago
 Main PID: 508620 (nemo-watchdog)
   CGroup: /user.slice/user-1001.slice/user@1001.service/nemo.service
           |-508620 /opt/nemo/bin/python /opt/nemo/bin/nemo-watchdog
           |-508622 /opt/nemo/bin/python /opt/nemo/bin/nemo-broadworks-cdr-csv-collector
           |-508623 /opt/nemo/bin/python /opt/nemo/bin/nemo-gui
           |-508624 /opt/nemo/bin/python /opt/nemo/bin/nemo-rest
           |-508625 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 0 4 broadsoft
           |-508626 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 1 4 broadsoft
           |-508627 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 2 4 broadsoft
           |-508628 /opt/nemo/bin/python /opt/nemo/bin/nemo-stats-engine updateStatistics 3 4 broadsoft
           `-508630 /opt/nemo/bin/python /opt/nemo/bin/nemo-health-monitor