I'd like to set up a tile rendering server for my own use, for educational reasons, and for messing around with alternative renderings.

I've followed the instructions at https://switch2osm.org/manually-building-a-tile-server-18-04-lts/, and despite not understanding everything made progress.

One thing that I didn't understand from the instructions is the intended use of user accounts. It looks like there's the default system user, which is intended to be have sudo privileges, another unix account used for rendering purposes. The instructions seem to contradict themselves as to whether this secondary rendering account (renderaccount in the instructions) has sudo privileges or not. When it's added the instructions say "createuser renderaccount #answer yes for superuser (although this isn't strictly necessary)", but then later in the instructions it says "edit the '~/src/mod_tile/debian/renderd.init' file so that “RUNASUSER” is set to the non-root account that you have used before, such as 'renderaccount'". When I ran the createuser renderaccount I was not provided with any options, notably not the option to say yes to superuser.

I'm also confused why it instructed me to change to the postgres unix user (sudo -u postgres -i) prior to adding the renderaccount user.

I've not yet successfully installed the server, and suspect that it may be due to an issue with user permissions, but would like to understand this before moving forward.

asked 18 Jun, 22:43

keithonearth's gravatar image

keithonearth
2.6k436491
accept rate: 17%


You must understand there are two different sets of accounts: The Unix user accounts, and the PostgreSQL accounts. They are not necessarily aligned, however PostgreSQL's default setting is that if you have the Unix account X you will also use the PostgreSQL account X.

The Unix superuser is root and does not (by default) exist in PostgreSQL, and the PostgreSQL superuser is postgres, a non-privileged account in Unix.

The Unix user renderaccount does not need sudo privileges. In order to create this account in PostgreSQL, you need to have PostgreSQL superuser rights, which you gain by becoming the Unix user postgres; you cannot create this account as root because there is no matching PostgreSQL user.

Giving the renderaccount PostgreSQL superuser rights, while not strictly needed, makes things easier down the line.

Indeed in more recent PostgreSQL versions, createuser doesn't prompt you for superuser, and you must specify --interactive if you want the old behaviour, or just specify -s to make the account a superuser. If you have created the account already but without superuser, become the Unix user postgres and run

psql -c 'alter role renderaccount with superuser'
permanent link

answered 18 Jun, 23:35

Frederik%20Ramm's gravatar image

Frederik Ramm ♦
70.9k826431106
accept rate: 24%

The reason why the creation of a Unix account "renderaccount" is suggested is actually because of what we'd seen happen with previous versions of the instructions. There people either used "www-data" (often used as a default web server process) or "root" (definitely not recommended. Using "renderaccount" was designed to work independently of whatever might be there on a a server and not break anything. The assumption was that people might use these instructions on a machine that already exists, and by default if you set up a Ubuntu server you're asked for an initial user account. "renderaccount" was chosen because it's new and likely won't break anything that already exists.

As Frederik says there are two sets of accounts involved here - Unix accounts and PostgreSQL users. The guide tries to gloss over that and uses the same name for both (hence the "createuser renderaccount" to create a postgres user of that name).

If there's anything that you think needs to be clarified better please let us know - either by just saying what needs to be changed at the wordpress site or by a pull request to the github one. The Wordpress site is actually the "live" one, but the text content of the main pages is the same, so you can actually comment on either.

permanent link

answered 19 Jun, 00:17

SomeoneElse's gravatar image

SomeoneElse ♦
32.1k63333752
accept rate: 15%

Hi SomeoneElse, I didn't realize you were involved with Switch2osm too. You're a busy guy. Thank you for the reply here.

That makes sense. I did realize that there are Unix and Postgres accounts involved, but I found it unclear in the instructions when we're talking about one, and when we're talking about the other.

(19 Jun, 01:11) keithonearth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×388
×160
×83
×29
×9

question asked: 18 Jun, 22:43

question was seen: 250 times

last updated: 19 Jun, 01:11

powered by OSQA