docker-kong
docker-kong copied to clipboard
Kong
Image kong/kong-gateway:3.5.0.3-amazonlinux-2023 does not allow write permissions for kong user
Hi,
I'm using a Dockerfile with the kong/kong-gateway:3.5.0.3-amazonlinux-2023 and my plugins fail to start because apparently the kong user does not have written permissions to /usr/local/kong.
This problem does not occur using the image kong/kong-gateway:3.2.1.0-amazonlinux-2022 and kong:3.5-ubuntu for example.
The permissions of the folder are:
I'm seeking for advice on where to look to investigate this issue.
Hello @lays147,
sorry for taking long to respond: The /usr/local/kong directory should not be written to by plugins. It is preferable to create files under /var.
Can you explain why your plugins need to write to /usr/local/kong?
-Hans
Well, all the docs around plugins relate to adding the binaries to /usr/local/kong see: https://docs.konghq.com/gateway/latest/plugin-development/pluginserver/go/
There is NO documentation under Kong docs about the good practices where the plugins should be, and the issues that one can find on using it.
I don't have that issue on using the kong-ubuntu version, only with the amazonlinux one.
cc @hanshuebner
@lays147 I'm not sure I understand what you're looking for. In your description, you write that your plugins "fail to start" because they cannot write to /usr/local/kong. This seems to indicate that your plugin code wants to write some files to /usr/local/kong. Generally, I would advise against doing that and instead choose a path under /var when writing files from the plugin. If what you're trying is to write to /usr/local/kong from your Dockerfile, you can use the USER instruction in your Dockerfile to switch to the root user before copying files.
I understand that our documentation could be better. If you have a specific suggestion, feel free to contribute to docs.konghq.com - If you start a certain page that you feel is missing, we can add to it with our specific knowledge.
@hanshuebner the problem is that the kong user does not have write permissions under /usr/local/kong where it creates the .socket files. The documentation points to that path as default, for the creation of it.
@lays147 You mentioned that you're using a custom Dockerfile - Can you add RUN chown kong /usr/local/kong to that so that the incorrect permissions set up by the container are fixed? This seems like a bug in the Amazon Linux container which we'll need to fix.
@hanshuebner I changed to use the kong-ubuntu based image, since this one is recommended for enterprise users, which I'm not. I just reported the bug :)