Search code examples
javalinuxapache-kafkasudo

How to run Kafka as non-root user?

According to its docs, Apache Kafka logs to /tmp/kafka-logs by default.

Since /tmp is owned by root in Linux, then to me, this means that you have to run Kafka as root in order for it to log to that location correctly. However for security purposes, I don't want it to run as root, and so I'm trying to figure out what my options are. I believe I have to choose between the following:

  1. Use the -Dkafka.logs.dir command-line switch to specify a different location (that isn't owned by root) for logs to be written to; or
  2. Modify the system ahead of time (that is, prior to starting Kafka) so that /tmp/kafka-logs is owned by the same user as the user that will be starting Kafka (or, in general, making sure the the Kafka user has the correct permissions to r/w/x to that directory); or

Can someone clarify (or correct) that my undertanding of Linux permissions and processes is correct, and that those are my only two options? And of course, if there are any other options that will allow me to run Kafka as non-root, please chime in!

Solution 
  • $ ls -ld /tmp
drwxrwxrwt 16 root root 32768 Sep 28 16:39 /tmp

    The first rwx means that /tmp is readable, writable and executable by its owner (root), the second rwx means that it's readable, writable and executable by its group (root), and the third rwx means that it's readable, writable and executable by everyone. (For a directory "executable" means it can be navigated into).

    So your non-privileged user can write log files to /tmp. There may be problems if another user has already created their own /tmp/kafka-logs.

    However, writing logs to /tmp is not a sustainable strategy in the long term. Anything goes if this is a personal system, but on a production system you would not expect /tmp to have the reserved storage space or the maintenance attention that a directory like /var/log has. By its name, you can guess that files in /tmp are considered fair game for deletion if space starts running out.

    The page you've linked is pretty clear - although there are defaults, their expectation is that as a minimum you supply a properties file containing broker.id, logs.dir and zookeeper.connect.

    So, configure whatever log directory you like, writable by your preferred user.