How to configure Envoy Proxy to run as non-root user?

[Fabrice Triboix]

Hi all,

Is there a configuration item in Envoy Proxy to allow it to drop root privileges after starting up?

Essentially something similar to the `User` configuration directive for Apache.

I guess Envoy Proxy does all its "privileged" stuff at the beginning, such as read SSL private keys etc. and then be able to drop to a non-privileged user. But I can't find any such configuration in the documentation.

Thanks a lot for your help!

  Fabrice

[Yan Avlasov]

I do not think it is supported. I suggest opening an issue on GitHub and let people comment.

[Andrei Nistor]

Hi Fabrice,

We're launching envoy using systemd as an unprivileged user using the following unit file. Note that CAP_NET_BIND_SERVICE is required in order to bind to privileged ports. Other than that, remember to remove /dev/shm/envoy_shared_memory_0 if you've previously started envoy as root.

```

$ cat /etc/systemd/system/envoy.service

[Unit]

Description=Envoy Proxy

Requires=network-online.target

After=network-online.target

[Service]

Type=simple

User=envoy

Group=envoy

ExecStart=/opt/getenvoy/bin/hot-restarter.py /opt/getenvoy/bin/start_envoy.sh

ExecReload=/bin/kill -HUP $MAINPID

ExecStop=/bin/kill -TERM $MAINPID

Restart=always

LimitNOFILE=100000

AmbientCapabilities=CAP_NET_BIND_SERVICE

CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]

WantedBy = multi-user.target

```

Thanks,

Andrei