smeeb - 10 months ago 52
Linux Question

How to run Kafka as non-root user?

According to its docs, Apache Kafka logs to

/tmp/kafka-logs
by default.

Since
/tmp
is owned by
root
in Linux, then to me, this means that you have to run Kafka as
root
in order for it to log to that location correctly. However for security purposes, I don't want it to run as root, and so I'm trying to figure out what my options are. I believe I have to choose between the following:

1. Use the
-Dkafka.logs.dir
command-line switch to specify a different location (that isn't owned by root) for logs to be written to; or

2. Modify the system ahead of time (that is, prior to starting Kafka) so that
/tmp/kafka-logs
is owned by the same user as the user that will be starting Kafka (or, in general, making sure the the Kafka user has the correct permissions to r/w/x to that directory); or

Can someone clarify (or correct) that my undertanding of Linux permissions and processes is correct, and that those are my only two options? And of course, if there are any other options that will allow me to run Kafka as non-root, please chime in!

\$ ls -ld /tmp

The first rwx means that /tmp is readable, writable and executable by its owner (root), the second rwx means that it's readable, writable and executable by its group (root), and the third rwx means that it's readable, writable and executable by everyone. (For a directory "executable" means it can be navigated into).
So your non-privileged user can write log files to /tmp. There may be problems if another user has already created their own /tmp/kafka-logs.
However, writing logs to /tmp is not a sustainable strategy in the long term. Anything goes if this is a personal system, but on a production system you would not expect /tmp to have the reserved storage space or the maintenance attention that a directory like /var/log has. By its name, you can guess that files in /tmp are considered fair game for deletion if space starts running out.
The page you've linked is pretty clear - although there are defaults, their expectation is that as a minimum you supply a properties file containing broker.id, logs.dir and zookeeper.connect.