[英]How to run Kafka as non-root user?
According to its docs , Apache Kafka logs to /tmp/kafka-logs
by default. 根据其文档 ,Apache Kafka默认情况下登录到
/tmp/kafka-logs
。
Since /tmp
is owned by root
in Linux, then to me, this means that you have to run Kafka as root
in order for it to log to that location correctly. 由于
/tmp
在Linux中是root
所拥有的,所以对我来说,这意味着您必须以root
身份运行Kafka才能使其正确登录到该位置。 However for security purposes, I don't want it to run as root, and so I'm trying to figure out what my options are. 但是出于安全目的,我不希望它作为root用户运行,因此我试图弄清楚我的选择是什么。 I believe I have to choose between the following:
我相信我必须在以下选项之间进行选择:
-Dkafka.logs.dir
command-line switch to specify a different location (that isn't owned by root) for logs to be written to; -Dkafka.logs.dir
命令行开关来指定要写入日志的其他位置(不是root拥有)。 or /tmp/kafka-logs
is owned by the same user as the user that will be starting Kafka (or, in general, making sure the the Kafka user has the correct permissions to r/w/x to that directory); /tmp/kafka-logs
由与将要启动Kafka的用户相同的用户拥有(或者,通常,确保Kafka用户具有r / w / x对该目录的正确权限); or Can someone clarify (or correct) that my undertanding of Linux permissions and processes is correct, and that those are my only two options? 有人可以澄清(或纠正)我对Linux权限和进程的理解是正确的,而这是我仅有的两个选择吗? And of course, if there are any other options that will allow me to run Kafka as non-root, please chime in!
当然,如果还有其他选择允许我以非超级用户身份运行Kafka,请输入提示音!
$ ls -ld /tmp
drwxrwxrwt 16 root root 32768 Sep 28 16:39 /tmp
The first rwx
means that /tmp
is readable, writable and executable by its owner (root), the second rwx
means that it's readable, writable and executable by its group (root), and the third rwx
means that it's readable, writable and executable by everyone . 第一个
rwx
表示/tmp
由其所有者(根)可读取,可写和可执行,第二个rwx
表示其组(根)可读取,可写和可执行,而第三个rwx
表示其可读,可写和可执行每个人都有 。 (For a directory "executable" means it can be navigated into). (对于目录“可执行”表示可以将其导航到)。
So your non-privileged user can write log files to /tmp
. 因此,您的非特权用户可以将日志文件写入
/tmp
。 There may be problems if another user has already created their own /tmp/kafka-logs
. 如果另一个用户已经创建了自己的
/tmp/kafka-logs
则可能会出现问题。
However, writing logs to /tmp
is not a sustainable strategy in the long term. 但是,从长远来看,将日志写入
/tmp
并不是可持续的策略。 Anything goes if this is a personal system, but on a production system you would not expect /tmp
to have the reserved storage space or the maintenance attention that a directory like /var/log
has. 如果这是个人系统,那么一切都会发生,但是在生产系统上,您不会期望
/tmp
具有像/var/log
这样的目录所具有的保留的存储空间或维护注意。 By its name, you can guess that files in /tmp
are considered fair game for deletion if space starts running out. 用它的名字,您可以猜测
/tmp
中的文件被认为是公平的删除空间的游戏。
The page you've linked is pretty clear - although there are defaults, their expectation is that as a minimum you supply a properties file containing broker.id
, logs.dir
and zookeeper.connect
. 您链接的页面非常清晰-尽管有默认值,但他们的期望是至少提供一个包含
broker.id
, logs.dir
和zookeeper.connect
的属性文件。
So, configure whatever log directory you like, writable by your preferred user. 因此,配置您喜欢的可由首选用户写入的任何日志目录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.