如何以非root用户身份运行Kafka?
[英]How to run Kafka as non-root user?
问题描述
According to its docs , Apache Kafka logs to /tmp/kafka-logs by default. 
根据其文档 ,Apache Kafka默认情况下登录到/tmp/kafka-logs 。
Since /tmp is owned by root in Linux, then to me, this means that you have to run Kafka as root in order for it to log to that location correctly. 由于/tmp在Linux中是root所拥有的,所以对我来说,这意味着您必须以root身份运行Kafka才能使其正确登录到该位置。 However for security purposes, I don't want it to run as root, and so I'm trying to figure out what my options are. 但是出于安全目的,我不希望它作为root用户运行,因此我试图弄清楚我的选择是什么。 I believe I have to choose between the following: 我相信我必须在以下选项之间进行选择:
- Use the
-Dkafka.logs.dircommand-line switch to specify a different location (that isn't owned by root) for logs to be written to;使用-Dkafka.logs.dir命令行开关来指定要写入日志的其他位置(不是root拥有)。 or要么 - Modify the system ahead of time (that is, prior to starting Kafka) so that
/tmp/kafka-logsis owned by the same user as the user that will be starting Kafka (or, in general, making sure the the Kafka user has the correct permissions to r/w/x to that directory);提前(即在启动Kafka之前)修改系统,以便/tmp/kafka-logs由与将要启动Kafka的用户相同的用户拥有(或者,通常,确保Kafka用户具有r / w / x对该目录的正确权限); or要么
Can someone clarify (or correct) that my undertanding of Linux permissions and processes is correct, and that those are my only two options? 有人可以澄清(或纠正)我对Linux权限和进程的理解是正确的,而这是我仅有的两个选择吗? And of course, if there are any other options that will allow me to run Kafka as non-root, please chime in! 当然,如果还有其他选择允许我以非超级用户身份运行Kafka,请输入提示音!
1 个解决方案
解决方案1
2 已采纳 2016-09-28 16:11:51
$ ls -ld /tmp
drwxrwxrwt 16 root root 32768 Sep 28 16:39 /tmp
The first rwx means that /tmp is readable, writable and executable by its owner (root), the second rwx means that it's readable, writable and executable by its group (root), and the third rwx means that it's readable, writable and executable by everyone . 第一个rwx表示/tmp由其所有者(根)可读取,可写和可执行,第二个rwx表示其组(根)可读取,可写和可执行,而第三个rwx表示其可读,可写和可执行每个人都有 。 (For a directory "executable" means it can be navigated into). (对于目录“可执行”表示可以将其导航到)。
So your non-privileged user can write log files to /tmp . 因此,您的非特权用户可以将日志文件写入/tmp 。 There may be problems if another user has already created their own /tmp/kafka-logs . 如果另一个用户已经创建了自己的/tmp/kafka-logs则可能会出现问题。
However, writing logs to /tmp is not a sustainable strategy in the long term. 但是,从长远来看,将日志写入/tmp并不是可持续的策略。 Anything goes if this is a personal system, but on a production system you would not expect /tmp to have the reserved storage space or the maintenance attention that a directory like /var/log has. 如果这是个人系统,那么一切都会发生,但是在生产系统上,您不会期望/tmp具有像/var/log这样的目录所具有的保留的存储空间或维护注意。 By its name, you can guess that files in /tmp are considered fair game for deletion if space starts running out. 用它的名字,您可以猜测/tmp中的文件被认为是公平的删除空间的游戏。
The page you've linked is pretty clear - although there are defaults, their expectation is that as a minimum you supply a properties file containing broker.id , logs.dir and zookeeper.connect . 您链接的页面非常清晰-尽管有默认值,但他们的期望是至少提供一个包含broker.id , logs.dir和zookeeper.connect的属性文件。
So, configure whatever log directory you like, writable by your preferred user. 因此,配置您喜欢的可由首选用户写入的任何日志目录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.