The user directive is set only if the user is root #964
Conversation
subnetmarco
force-pushed
the
chore/user
branch
from
642824f to
ca7c0f2
Compare
| -- Extract nginx config from kong config, replace any needed value | ||
| local nginx_config = configuration.nginx | ||
| local nginx_inject = { | ||
| user = get_current_user(), | ||
| user = is_root() and "user "..current_user.." "..get_primary_group(current_user)..";" or "", |
There was a problem hiding this comment.
this will not work for any user that is not root, which is limiting the ability to run Kong process as any user, specifically for security purposes a sysadmin would want to silo the kong execution into a specific user, this forbids that, its too dangerous to rely only on root users.
There was a problem hiding this comment.
furthermore, nginx does not implicitly require user to be root: http://nginx.org/en/docs/ngx_core_module.html#user
There was a problem hiding this comment.
This doesn't prevent from running Kong with any other user.
There was a problem hiding this comment.
The user needs to be a user with super-user privileges, otherwise nginx throws a warning, and this PR simply removes that warning from the logs.
There was a problem hiding this comment.
This doesn't prevent from running Kong with any other user.
I realize that, which is why I said it "limits" the abilities to run as another user, in this case, the user is what the process/workers will be ran as, and as a sysadmin, I would not be able to use a none-root user now.
There was a problem hiding this comment.
adduser newuser
su - newuser -c "kong start"There was a problem hiding this comment.
[root]# adduser newuser
[root]# su - newuser -c "kong start"
[INFO] Kong 0.6.1
[INFO] Using configuration: /etc/kong/kong.yml
[INFO] database...........cassandra keyspace=kong ssl=verify=false enabled=false replication_factor=1 contact_points=ec2-52-6-21-95.compute-1.amazonaws.com:9042 replication_strategy=SimpleStrategy timeout=5000 data_centers=
[INFO] dnsmasq............address=127.0.0.1:8053 dnsmasq=true port=8053
[INFO] Auto-generating the default SSL certificate and key...
[INFO] nginx .............admin_api_listen=0.0.0.0:8001 proxy_listen=0.0.0.0:8000 proxy_listen_ssl=0.0.0.0:8443
[INFO] serf ..............-profile=wan -rpc-addr=127.0.0.1:7373 -event-handler=member-join,member-leave,member-failed,member-update,member-reap,user:kong=/usr/local/kong/serf_event.sh -bind=0.0.0.0:7946 -node=7614aadd81f6_0.0.0.0:7946 -log-level=err
[INFO] Trying to auto-join Kong nodes, please wait..
[WARN] Cannot auto-join the cluster because no nodes were found
[OK] Started[root]# ps aux | grep nginx
newuser 243 0.0 0.1 201740 4108 ? Ss 21:22 0:00 nginx: master process /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf -g pid /usr/local/kong/nginx.pid;
newuser 244 0.7 0.7 211268 15028 ? S 21:22 0:00 nginx: worker process
newuser 245 0.5 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
newuser 246 0.5 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
newuser 247 0.7 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
newuser 248 0.7 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
newuser 249 0.5 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
newuser 250 0.5 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
newuser 251 0.5 0.6 208408 13352 ? S 21:22 0:00 nginx: worker process
and
[root]# cat /usr/local/kong/nginx.conf
user newuser;
...
The user directive is set only if the user is root
This removes the annoying
warnlog inerror.log.