From ca9024f774c73f6c86eaefe606aeef222065cfd1 Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 18 Mar 2025 15:49:57 +0000 Subject: [PATCH 01/10] docs: add agent unprivileged doc --- .../installation-unprivileged.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 content/agent/installation-upgrade/installation-unprivileged.md diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md new file mode 100644 index 000000000..e1864460e --- /dev/null +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -0,0 +1,55 @@ +--- +title: "Run without root privileges" +weight: 450 +toc: true +tags: [ "docs" ] +categories: ["configuration"] +doctypes: ["task"] +--- + +## Overview + +If the policies of your organization do not allow to run processes as root, you can run NGINX Agent under a user without root privileges. + +This also aligns with the principle of least privilege, which is a security concept that limits the access rights of users to the bare minimum permissions they need to perform their work. + +## Before you begin + +Please note that **root access is required to install NGINX Agent**. The agent can be run under a non-root user after the installation. + + +## Installation + +The installation process involves installing NGINX Plus without root privileges and then installing NGINX Agent: + +### Install NGINX Plus without root privileges + +You can install NGINX Plus without root privileges following the steps on the [NGINX Plus installation page]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus/#unpriv_install" >}}). The steps include a script that will allow you to install NGINX Plus in a non-root environment. + +{{< note >}} +NGINX Agent has its own user group (`nginx-agent`) which is created when NGINX Agent is installed. The user NGINX is running under is added to this user group during the installation of NGINX Agent. If you change the NGINX user after installing NGINX Agent, you will need to [manually add the new NGINX user]({{< ref "/agent/configuration/configure-nginx-agent-group.md" >}}) to the `nginx-agent` group. +{{< /note >}} + +### Install NGINX Agent + +After installing NGINX Plus, you can install NGINX agent following the steps on the [NGINX Agent installation page]({{< ref "/agent/installation-upgrade/installation-oss.md" >}}). + +### Start NGINX Agent + +Run the command corresponding to your operating system to start NGINX Agent: + +{{}} + +| Operating System | Command(s) | +|------------------------------------------------------|------------------------------------------------| +| RHEL, CentOS,
Rocky Linux, AlmaLinux,
Oracle Linux, Ubuntu,
Debian, SLES, Amazon Linux | ```sudo systemctl start nginx-agent``` | +| Alpine Linux | ```sudo rc-service nginx-agent start```
or
```sudo /etc/init.d/nginx-agent start``` | +| FreeBSD | ```sudo service nginx-agent start``` | + +{{}} + +You can confirm that NGINX Agent is running under the same user as NGINX Plus by running the following command: + + ```bash + ps aux | grep nginx-agent + ``` From 02d307212e78ff79f2f9c585195342a1d407899a Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:55:42 +0000 Subject: [PATCH 02/10] Update content/agent/installation-upgrade/installation-unprivileged.md Co-authored-by: Alan Dooley --- .../installation-upgrade/installation-unprivileged.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index e1864460e..5202246a3 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -1,10 +1,9 @@ --- -title: "Run without root privileges" +title: Run without root privileges weight: 450 toc: true -tags: [ "docs" ] -categories: ["configuration"] -doctypes: ["task"] +type: how-to +product: Agent --- ## Overview From 82db84570c5690e3dc06a0cc51f40ae7d5cb8b2b Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:56:04 +0000 Subject: [PATCH 03/10] Update content/agent/installation-upgrade/installation-unprivileged.md Co-authored-by: Alan Dooley --- content/agent/installation-upgrade/installation-unprivileged.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index 5202246a3..1868e8e8b 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -11,6 +11,7 @@ product: Agent If the policies of your organization do not allow to run processes as root, you can run NGINX Agent under a user without root privileges. This also aligns with the principle of least privilege, which is a security concept that limits the access rights of users to the bare minimum permissions they need to perform their work. +--- ## Before you begin From 03143ef37d9354bfd2559e14ac8fd0703283defe Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:56:11 +0000 Subject: [PATCH 04/10] Update content/agent/installation-upgrade/installation-unprivileged.md Co-authored-by: Alan Dooley --- content/agent/installation-upgrade/installation-unprivileged.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index 1868e8e8b..fa5fefade 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -17,6 +17,7 @@ This also aligns with the principle of least privilege, which is a security conc Please note that **root access is required to install NGINX Agent**. The agent can be run under a non-root user after the installation. +--- ## Installation From 72bebda697fd9d146d47ea5bd5db11f128e68afd Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:57:20 +0000 Subject: [PATCH 05/10] Update content/agent/installation-upgrade/installation-unprivileged.md Co-authored-by: Alan Dooley --- content/agent/installation-upgrade/installation-unprivileged.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index fa5fefade..f55fe87bb 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -35,6 +35,8 @@ NGINX Agent has its own user group (`nginx-agent`) which is created when NGINX A After installing NGINX Plus, you can install NGINX agent following the steps on the [NGINX Agent installation page]({{< ref "/agent/installation-upgrade/installation-oss.md" >}}). +--- + ### Start NGINX Agent Run the command corresponding to your operating system to start NGINX Agent: From a800c8cc8f4e49039400d00b8540e6f4cc8ac004 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:57:32 +0000 Subject: [PATCH 06/10] Update content/agent/installation-upgrade/installation-unprivileged.md Co-authored-by: Alan Dooley --- content/agent/installation-upgrade/installation-unprivileged.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index f55fe87bb..8649c4caf 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -31,6 +31,8 @@ You can install NGINX Plus without root privileges following the steps on the [N NGINX Agent has its own user group (`nginx-agent`) which is created when NGINX Agent is installed. The user NGINX is running under is added to this user group during the installation of NGINX Agent. If you change the NGINX user after installing NGINX Agent, you will need to [manually add the new NGINX user]({{< ref "/agent/configuration/configure-nginx-agent-group.md" >}}) to the `nginx-agent` group. {{< /note >}} +--- + ### Install NGINX Agent After installing NGINX Plus, you can install NGINX agent following the steps on the [NGINX Agent installation page]({{< ref "/agent/installation-upgrade/installation-oss.md" >}}). From 5a87918a60811ead7818c96df55b98dff70930cb Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Tue, 18 Mar 2025 16:57:58 +0000 Subject: [PATCH 07/10] docs: remove indentation --- .../agent/installation-upgrade/installation-unprivileged.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index 8649c4caf..7bdcefb07 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -55,6 +55,6 @@ Run the command corresponding to your operating system to start NGINX Agent: You can confirm that NGINX Agent is running under the same user as NGINX Plus by running the following command: - ```bash - ps aux | grep nginx-agent - ``` +```bash +ps aux | grep nginx-agent +``` From 2eb9e62790fd64c598e74da7228eef3c92570248 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 18 Mar 2025 18:09:57 +0000 Subject: [PATCH 08/10] Update content/agent/installation-upgrade/installation-unprivileged.md --- content/agent/installation-upgrade/installation-unprivileged.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index 7bdcefb07..9103e24cc 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -11,6 +11,7 @@ product: Agent If the policies of your organization do not allow to run processes as root, you can run NGINX Agent under a user without root privileges. This also aligns with the principle of least privilege, which is a security concept that limits the access rights of users to the bare minimum permissions they need to perform their work. + --- ## Before you begin From 19aeb75acb87105c4026ae12fb8e2cee79e8ad88 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Wed, 19 Mar 2025 10:55:43 +0000 Subject: [PATCH 09/10] Update content/agent/installation-upgrade/installation-unprivileged.md --- content/agent/installation-upgrade/installation-unprivileged.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index 9103e24cc..10202738d 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -8,7 +8,7 @@ product: Agent ## Overview -If the policies of your organization do not allow to run processes as root, you can run NGINX Agent under a user without root privileges. +If the policies of your organization do not allow running processes as root, you can run NGINX Agent under a user without root privileges. This also aligns with the principle of least privilege, which is a security concept that limits the access rights of users to the bare minimum permissions they need to perform their work. From f00664ab7857d3955a015b228a0c1653b2be49af Mon Sep 17 00:00:00 2001 From: Jon Cahill-Torre Date: Wed, 19 Mar 2025 10:56:24 +0000 Subject: [PATCH 10/10] chore: remove separators --- .../agent/installation-upgrade/installation-unprivileged.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/content/agent/installation-upgrade/installation-unprivileged.md b/content/agent/installation-upgrade/installation-unprivileged.md index 10202738d..137bdf752 100644 --- a/content/agent/installation-upgrade/installation-unprivileged.md +++ b/content/agent/installation-upgrade/installation-unprivileged.md @@ -32,14 +32,10 @@ You can install NGINX Plus without root privileges following the steps on the [N NGINX Agent has its own user group (`nginx-agent`) which is created when NGINX Agent is installed. The user NGINX is running under is added to this user group during the installation of NGINX Agent. If you change the NGINX user after installing NGINX Agent, you will need to [manually add the new NGINX user]({{< ref "/agent/configuration/configure-nginx-agent-group.md" >}}) to the `nginx-agent` group. {{< /note >}} ---- - ### Install NGINX Agent After installing NGINX Plus, you can install NGINX agent following the steps on the [NGINX Agent installation page]({{< ref "/agent/installation-upgrade/installation-oss.md" >}}). ---- - ### Start NGINX Agent Run the command corresponding to your operating system to start NGINX Agent: