Run Wowza Streaming Engine as a named user (Linux)

On Linux, the default installation of Wowza Streaming Engine™ media server software 4.0 and later runs as the root user. If you want to run Wowza Streaming Engine as a different user, you need to create a new user and then configure the server to run as that new user. 

Notes:
  • For security, most Linux and Unix distributions only allow the root user to bind to port numbers lower than 1024. If you plan to run Wowza Streaming Engine on a lower-numbered port such as 80 (HTTP), 443 (HTTPS, RTMPS), or 554 (RTSP), then Wowza Streaming Engine must continue to run as the root user. However, Linux doesn't allow non-root users to start ports under 1024. To work around this, start Wowza Streaming Engine on port 1935, then redirect the port:
     
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 1935
  • Some Wowza Streaming Engine updates may replace these files. Back up any modified startup scripts before performing this update, and then carefully redo your changes after applying the update.

Linux configuration


Notes:
  • You must be the root user in order to perform the following procedure.
     
  • These instructions are for Wowza Streaming Engine 4.0.1. You may need to adjust the paths to suit the installation paths of your Wowza media server software version.
  1. Create a new user and group named wowza.
    groupadd wowza
    useradd -g wowza wowza
    passwd wowza
  2. Change ownership and permissions on the Wowza Streaming Engine installation files. For example:
    cd /usr/local
    chown -h wowza:wowza WowzaStreamingEngine
    chown -R wowza:wowza WowzaStreamingEngine-4.0.1
    chmod -R 775 WowzaStreamingEngine-4.0.1
    rm -f /var/run/WowzaStreamingEngine*
  3. Change the command that's used to start the server so that it runs as the new wowza user.
     
    1. Change directory to the /usr/local/WowzaStreamingEngine/bin directory.
       
    2. Edit the standalone startup script and remove or comment out the following lines:
      # check for root access. If not, put up message and exit
      if [ "$(/usr/bin/id -u)" -ne "0" ] ; then
      echo "The Wowza Streaming Engine requires root access to start. Please run script again using sudo."
      exit
      fi

      This allows any user to start Wowza Streaming Engine in standalone mode. To make it start as a specific user that is not the logged-in user, also make the following changes. To run the services as a specific user, skip to step 4.

    3. Locate the following line (line 43 in the Wowza Streaming Engine 4.0.1 startup.sh file) and add sudo -u wowza to the begining of the line. It should look like this:
      sudo -u wowza $_EXECJAVA $WMSTUNE_OPTS $JMXOPTIONS -Dcom.wowza.wms.runmode="$mode" -Dcom.wowza.wms.native.base="linux" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" -cp $WMSAPP_HOME/bin/wms-bootstrap.jar com.wowza.wms.bootstrap.Bootstrap start
    4. To have the service run as a specific user, edit the service startup script wms.sh and locate the same line (currently line 29 in the Wowza Streaming Engine 4.0.1 wms.sh file), and then make the same change.
       
      Note: The lines in each script are slightly different so don't copy and paste the entire line from one script to the other.
      sudo -u wowza $_EXECJAVA $WMSTUNE_OPTS $JMXOPTIONS -Dcom.wowza.wms.runmode="service" -Dcom.wowza.wms.native.base="linux" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" -cp $WMSAPP_HOME/bin/wms-bootstrap.jar com.wowza.wms.bootstrap.Bootstrap $WMSCOMMAND > /dev/null 2>&1  &
    5. When you use sudo to run a process, the returned process pid is the pid for sudo; it's not the pid for the Wowza process. To change this, locate the following:
      if [ "$WMSCOMMAND" = "start" ]; then
          echo $! > ${WMSPIDFILE}
          wait $PID
      fi

      and change the code to look like the following:

      if [ "$WMSCOMMAND" = "start" ]; then
          while [ -z "$WOWZA_PID" ]
          do
              WOWZA_PID=$(ps --no-headers -o pid --ppid $PID)
          done
      
          echo $WOWZA_PID > ${WMSPIDFILE}
          wait $!
      fi

      This ensures that the pid that's saved will be the correct one, the one that will be needed to shut down the server later.

    6. Locate the following line and add sudo -u wowza to the beginning of the line:
      sudo -u wowza $_EXECJAVA -cp "$WMSAPP_HOME/lib/slf4j-api-1.6.4.jar:$WMSAPP_HOME/lib/slf4j-log4j12-1.6.4.jar:$WMSAPP_HOME/lib/wms-xstream-1.4.5.jar:$WMSAPP_HOME/lib/wms-jax.validation.jar:$WMSAPP_HOME/lib/wms-core.jar:$WMSAPP_HOME/lib/bcprov-jdk15on-149.jar:$WMSAPP_HOME/lib/commons-lang-2.6.jar:$WMSAPP_HOME/lib/wms-license-rest.jar:$WMSAPP_HOME/lib/wms-rest.jar:$WMSAPP_HOME/lib/wms-server.jar:$WMSAPP_HOME/lib/wms-bootstrap.jar:$WMSAPP_HOME/lib/wms-restlet-2.1.6.jar:$WMSAPP_HOME/lib/wms-restlet-2.1.6.org.restlet.ext.simple.jar:$WMSAPP_HOME/lib/log4j-1.2.17.jar" -Dcom.wowza.wms.runmode="$mode" -Dcom.wowza.wms.native.base="linux" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" com.wowza.wms.standalone.rest.LicenseUpdateServer
    7. Allow the non-root user to set maximum number of open files.

      The non-root user has system applied ulimit values. Wowza Streaming Engine 4.0 (or later) requires a specific value.

      As the root user, edit /etc/security/limits.conf and add the following entries:
       
      wowza            soft          nofile          20000
      wowza            hard          nofile          20000

      This assumes the non-root user is wowza.
       

    8. Allow the use of sudo without a tty

      To allow the use of sudo during system startup we need to allow it to start a shell without a tty (for example, a display).

      As the root user run this command: visudo

      Find the line beginning

      Defaults    requiretty

      and comment it out

      #Defaults    requiretty
    9. Start Wowza Streaming Engine in standalone or service mode, and then verify that it's running as the user wowza by opening Terminal and executing the command ps -ja to see the list of running processes.

     
  4. To make the manager run as the same user, navigate to the /usr/local/WowzaStreamingEngine/manager/bin folder and edit startmgr.sh.
     
    1. Locate the following lines:
      if [ "$WMSMGRCOMMAND" = "start" ]; then
          $RUNCMD $CMD $BACKGRND &
      else
          $CMD
      fi

      and change them to the following:

      if [ "$WMSMGRCOMMAND" = "start" ]; then
          $RUNCMD sudo -u wowza $CMD $BACKGRND &
      else
          sudo -u wowza $CMD
      fi

      The first line controls how the service is run and the second controls how standalone mode is run.

    2. You also need to make the same changes for the main Wowza Streaming Engine service so that the Wowza Streaming Engine Manager service pid is saved correctly. Locate the following lines:
      # Linux
      if [ "$WMSMGRCOMMAND" = "start" ]; then
          echo $! > ${WMSMGRPID_FILE}
          wait $PID
      fi

      and change them to the following:

      # Linux
      if [ "$WMSMGRCOMMAND" = "start" ]; then
          while [ -z "$WOWZA_PID" ]
          do
              WOWZA_PID=$(ps --no-headers -o pid --ppid $PID)
          done
          echo $WOWZA_PID > ${WMSMGRPID_FILE}
          wait $PID
      fi
    3. Modify the Wowza Streaming Engine Manager startup script to set the values of WMSMGRPID_FILE and WMSMGRLOCK_FILE to a location that is writeable to a non-root user.

      Edit /usr/local/WowzaStreamingEngine/manager/bin/WowzaStreamingEngineManager (this is symlinked at /etc/init.d/WowzaStreamingEngineManager)

      Find the definition of the variables:
       
      WMSMGRPID_FILE="/var/run/$WMSMGRBASE_NAME.pid"
      WMSMGRLOCK_FILE="/var/run/$WMSMGRBASE_NAME"

      Modify the file path to somewhere that the non-root user can write to:

      WMSMGRPID_FILE="/tmp/$WMSMGRBASE_NAME.pid"
      WMSMGRLOCK_FILE="/tmp/$WMSMGRBASE_NAME"
    4. Start Wowza Streaming Engine Manager in standalone or service mode and verify that it's running as the user wowza by opening Terminal and executing the command ps -ja to see the list of running processes.
Note: You may need to edit /etc/sudoers to comment out the Defaults requiretty.