Running Kong as a Non-Root User
After installing Kong Gateway (OSS) on a GNU/Linux system, you can
configure Kong to run as the built-in kong
user instead of the root
user.
This makes the Nginx master and worker processes use the built-in kong
user and group credentials, overriding any settings in the
nginx_user
configuration property. It is also possible to run Kong as a custom non-root user.
The Nginx master process needs to run as
root
for
Nginx to execute certain actions (for example, to listen on the privileged
port 80).
Although running Kong as the
kong
user
does provide more security, we advise that a system and network
administration evaluation be performed before making this decision. Otherwise,
Kong nodes might become unavailable due to insufficient permissions to execute
privileged system calls in the operating system.
Prerequisites
Kong Gateway (OSS) is installed on one of the following Linux distributions:
- Amazon Linux
- Debian
- Red Hat
- Ubuntu
- CentOS
Run Kong Gateway (OSS) as the built-in kong user
When Kong Gateway (OSS) is installed with a package management system such as APT
or YUM
, a default kong
user and a default kong
group are created. All the files installed by the package are owned by the kong
user and group.
-
Switch to the built-in
kong
user:$ su kong
-
Start Kong:
kong start
Run Kong Gateway (OSS) as a custom non-root user
It is also possible to run Kong as a custom non-root user. Since all the files installed by the Kong Gateway (OSS) package are owned by the kong
group, a user that belongs to that group should be permitted to perform the same operations as the kong
user.
-
Add the user to the
kong
groupsudo usermod -aG kong your-user
-
Start Kong:
kong start