System Setup

This guide covers the essential system configuration steps that must be completed before deploying Surfly. These preparations ensure your system is properly configured for optimal operation.

Disable SELinux

Surfly requires SELinux to be set to permissive mode or disabled for proper operation. To accomplish this, you’ll need to modify the SELinux configuration file and disable it for the current session.

sudo vi /etc/selinux/config

# Set the following line
SELINUX=permissive

Make sure SELinux is disabled for the current session:

sudo setenforce 0
# Verify the current status
sudo sestatus

Create Non-Privileged User

While Surfly can be deployed with either root or rootless user, we strongly recommend creating a dedicated unprivileged user account for enhanced security isolation.

sudo useradd -m -s /bin/bash client

Configure System Limits

System resource limits must be configured to ensure Surfly components can access sufficient resources. These limits prevent resource exhaustion and ensure stable operation under load.

Edit the limits configuration file:

sudo vi /etc/security/limits.conf

Add the following lines to the file:

redis  soft  nofile  12000
redis  hard  nofile  24000
client  -  nofile  unlimited
client  -  memlock  171966464

Caution

Important: You must logout and login again or reboot for these changes to take effect.

Tip

Verify that the limits are applied correctly using these commands:

• ulimit -n - Check file descriptor limits
• ulimit -l - Check memory lock limits

Allow Unprivileged Ports (Rootless Mode)

For rootless deployments, you need to configure the system to allow unprivileged users to bind to ports 80 and 443. By default, only root can bind to ports below 1024, but this configuration change removes that restriction.

# Allow the ss-haproxy container to bind to ports 80 and 443
echo 'net.ipv4.ip_unprivileged_port_start=0' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

This setting enables the HAProxy container to bind to standard HTTP/HTTPS ports without requiring root privileges, which is essential for the rootless deployment model.

Configure Systemd User-Linger (Rootless Mode)

Enable systemd user-linger to allow Surfly services to start automatically without requiring user login. This ensures that your Surfly services remain running even when no user is logged into the system.

# Enable user-linger for the client user
sudo loginctl enable-linger client

Set XDG_RUNTIME_DIR Variable

The XDG_RUNTIME_DIR environment variable tells systemd where to create runtime files for user services. You need to configure this properly for rootless containers to function correctly.

Add the following line to the user’s shell profile (e.g., /home/client/.bashrc):

export XDG_RUNTIME_DIR=/run/user/$(id -u)

After making this change, close your existing SSH session and open a new one as the user you’re using to run Surfly to ensure the environment variable is properly loaded.

Caution

Verification Required

Before proceeding with the installation, verify that the $XDG_RUNTIME_DIR variable is properly set:

echo $XDG_RUNTIME_DIR

Expected output should be similar to:

/run/user/1001

If this variable is not set, the container services may fail to start properly.

Note

System Setup Checklist

Before proceeding to the next steps, ensure you have completed:

• ✅ SELinux disabled or set to permissive
• ✅ Non-privileged user created (recommended)
• ✅ System limits configured and applied
• ✅ Unprivileged ports enabled (rootless mode)
• ✅ Systemd user-linger enabled (rootless mode)
• ✅ XDG_RUNTIME_DIR variable set and verified