Can I run the Octopus Deploy Linux Tentacle as a non-sudo / non-root user?

You can configure the Octopus Tentacle to run under a user that does not have sudo permission. Parts of the installation and configuration are still required to run with a user with sudo access. The commands below show how to set this up on RHEL 8.

As sudo user, if not already created, create the user that the Tentacle service will run under:

sudo useradd octoserviceuser
sudo passwd octoserviceuser

Install the Octopus Tentacle:

sudo wget -O /etc/yum.repos.d/tentacle.repo
sudo yum install tentacle

Now run the following as the new service user, in this case octoserviceuser:

mkdir /home/octoserviceuser/Octopus

The sudo user should now create a symlink to the new directory:

sudo ln -s /home/octoserviceuser/Octopus /etc/Octopus

:information_source: if you want to run multiple tentacles as different users then this directory and symlink should be changed to use a generic location so that multiple users can access it.

Next, as octoserviceuser, create the Tentacle instance, set up the certificate, and configure:

/opt/octopus/tentacle/Tentacle create-instance --instance "Tentacle" --config "/etc/octopus/config/Tentacle/tentacle-Tentacle.config"
/opt/octopus/tentacle/Tentacle new-certificate --instance "Tentacle" --if-blank
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --app "/etc/octopus/applications" --port 10933 --noListen False --reset-trust
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --trust E9249E133733A2A24611AE113B61674B2219C1F5

Finally, as the sudo user, set the service to run under the “octoserviceuser” account:

sudo /opt/octopus/tentacle/Tentacle service --install --user="octoserviceuser" --start --instance "Tentacle"

To check that the config is set to use “octoserviceuser”, you can check the service config:

nano /etc/systemd/system/Tentacle.service

Here, you can see the User is set to “octoserviceuser”:

Description=Octopus Deploy: Tentacle deployment agent

ExecStart=/opt/octopus/tentacle/Tentacle run --instance=Tentacle --noninteractive


And you can check that the process is running under the correct user:

[azureuser@myrhel ~]$ ps -u octoserviceuser
    PID TTY          TIME CMD
   1849 pts/1    00:00:00 bash
   1996 ?        00:00:03 Tentacle

Note, the new-certificate command, shown above, must be executed as the “octoserviceuser” user to ensure they have access to the certificate, which is located in the following location:

[octoserviceuser@myrhel ~]$ ls /home/octoserviceuser/.dotnet/corefx/cryptography/x509stores/my/ -la
total 4
drwxr-xr-x. 2 octoserviceuser octoserviceuser   58 Apr  9 14:33 .
drwxr-xr-x. 3 octoserviceuser octoserviceuser   16 Apr  9 14:33 ..
-rw-------. 1 octoserviceuser octoserviceuser 2357 Apr  9 14:33 2245D95AB7A0BF26F729AF26ED323746D1D0EEDF.pfx

:warning: Please note that the user that the Tentacle service runs under must have access to all resources that you are deploying to.