You are browsing unreleased documentation. See the latest documentation here.
Running Kong as a Non-Root User
After installing Kong Gateway on a GNU/Linux system, you can
configure Kong to run as the built-in kong
user and group instead of root
.
This makes the Nginx master and worker processes run as the built-in kong
user and group, overriding any settings in the
nginx_user
configuration property. It is also possible to run Kong as a custom non-root user.
Important: The Nginx master process needs to run as
root
for Nginx to execute certain actions (for example, to listen on the privileged port 80).
Although running Kong as thekong
user and group does provide more security, we advise that a system and network administration evaluation be performed before making this decision. Otherwise, Kong nodes might become unavailable due to insufficient permissions to execute privileged system calls in the operating system.
Prerequisites
Kong Gateway Enterprise is installed on one of the following Linux distributions:
Run Kong Gateway as the built-in kong user
When Kong Gateway is installed with a package management system such as APT
or YUM
, a default kong
user and a default kong
group are created. All the files installed by the package are owned by the kong
user and group.
-
Switch to the built-in
kong
user:su kong
-
Start Kong:
kong start
Run Kong Gateway as a custom non-root user
It is also possible to run Kong as a custom non-root user. Since all the files installed by the Kong Gateway package are owned by the kong
group, a user that belongs to that group should be permitted to perform the same operations as the kong
user.
-
Add the user to the
kong
groupsudo usermod -aG kong your-user
-
Start Kong:
kong start