topic Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created? in Getting Data In

Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92 — Tue, 04 Aug 2015 13:04:44 GMT

Hi everyone,

I created a script to install the splunkforwarder on the clients.
The script is called on the main indexer and manages all the clients, but I'm logged in using ssh as root, so:

root@x.x.x.x

During the execution of the script, I'm creating a new user "splunk":

adduser splunk

and I assign the owner permissions of Splunk at the user:

chown -hR splunk /opt/splunk

Next I stop splunk and I do:

sudo -i -u splunk

To access as the new user and I restart Splunk.
Executing the command whoami, I'm still running Splunk as root. I have tried to execute all the same commands manually, from the terminal, and they were correctly working.
I think is there some trouble changing the user, so in the last comment above.
What can I do?
Let me know, thank you

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

woodcock — Tue, 04 Aug 2015 14:04:36 GMT

The command whoami does not do what you think it does. It just says "what user identity am I using right now", not "what user is the process running". You need to do this:

ps -ef | grep splunkd

You should see something like this:

splunk    17145     1  1 Jul29 ?        01:21:01 splunkd -p 8089 restart

But if that is not the problem...

This all looks correct and, as you say, it works when you run it manually. So the problem has to be in your script (duh!). Are you checking all error codes after each step ($?)? Are you using the full path name for each command (eg. /usr/sbin/useradd, not just useradd)? Are you certain that your update script is being run as user root (you can check this as the first thing the script does)?

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92 — Tue, 04 Aug 2015 15:22:57 GMT

I try the command and splunk is actually running as root : (
I'm typing adduser splunk nothing else, and I'm executing only one step:

  root@x.x.x.x "command list"

where in command list there are:

useradd splunk
chown -hR splunk /opt/splunk
/opt/splunk/bin stop
sudo -i -u splunk
/opt/splunk/bin start

So I dunno what's wrong, and thank you for the help

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

woodcock — Tue, 04 Aug 2015 15:32:38 GMT

Your last 2 commands should be this instead:

sudo -u splunk /opt/splunk/bin/splunk start

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92 — Wed, 05 Aug 2015 08:53:48 GMT

I tried to use this last command but when I use

  ps -ef | grep splunkd

It's running under root again..

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

jeffland — Wed, 05 Aug 2015 11:23:07 GMT

Ideally, you would make your script untar the package, create a user (or the other way round), chown the new directory to the user before starting splunk for the first time, start splunk as the new user with something like the already mentioned sudo -H -u splunk $SPLUNK_HOME/bin/splunk start --accept-license, and set the autostart to use that user as well with $SPLUNK_HOME/bin/splunk enable boot-start -user splunk - see here and here for docs.

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92 — Wed, 05 Aug 2015 13:06:43 GMT

sudo -H -u splunk is not working : (

I've already added

 $SPLUNK_HOME/bin/splunk enable boot-start -user splunk
  $SPLUNK_HOME/bin/splunk start --accept-license

But seems like it's not changing user

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

woodcock — Wed, 05 Aug 2015 13:12:59 GMT

Run the ps -ef command after you do the stop command; maybe the stop command is failing. Are you checking return codes after each step?

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

jeffland — Wed, 05 Aug 2015 14:05:43 GMT

You are doing this on a new machine, right?

I've done the above steps many times, and it works like a charm. Just don't start splunk while the directory is not yet owned by the splunk user and don't start it as root. Actually, I've always used su splunk for that, never that command (but it is mentioned in the docs so it should work - but see the notice about what the command assumes in the first link above).

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92 — Fri, 07 Aug 2015 10:29:00 GMT

Ok, so your system is working fine if I'm not using ssh, If I log using ssh it's not changing user.
I have another question, during the installation I have this error:
Can't create directory "/root/.splunk": Permission denied

I think it's still related to the user, do you have any ideas why?

Thank you so much for your help : )

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

woodcock — Sat, 08 Aug 2015 15:12:12 GMT

What do you mean by "installation"? Are you using a tarball? What is your installation command? Why are we being so vague? Just list out exactly what is in your script, line-by-line and maybe we can get somewhere.

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92 — Mon, 10 Aug 2015 08:28:28 GMT

Yes, sorry, this is the script:

  #!/bin/sh
  INSTALL_FILE="splunkforwarder-6.2.3-264376-Linux-x86_64.tgz"
  #The script doesn't require the creation of a public pair ssh key
  # After installation, the forwarder will become a deployment client the passed argument $1
  # Specify the host and management (not web) port of the deployment server
  # that will be managing these forwarder instances.
 DEPLOY_SERVER="$1"
  #outputs.conf
  OUTPUTS='[tcpout]\n
  defaultGroup= default-autolb-group\n\n

 [tcpout:default-autolb-group]\n\n
 server = $DEPLOY_SERVER:9997\n\n

 [tcpout-server://$DEPLOY_SERVER:9997]'
 #Input to monitor needs to be changed
 INPUTS='[monitor:///var/log/*]\n
 sourcetype=syslog\n
host_segment=3\n
index=test\n\n
 [monitor:///var/log/messages]\n
 sourcetype=syslog\n
 host_segment=3\n
 index=test\n\n
 [monitor:///var/log/lastlog]\n
 sourcetype=syslog\n
 host_segment=3\n
 index=test\n\n'

 echo 'checking network...'
 if wget -q 'http://www.splunk.com/bin/splunk/DownloadActivityServlet?       architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl      unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true' > /dev/null; 
  then wget -O splunkforwarder-6.2.3-264376-Linux-x86_64.tgz        'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true'> /dev/null; 
  tar xvzf splunkforwarder-6.2.3-264376-Linux-x86_64.tgz -C /opt
  useradd splunk 
  chown -R splunk /opt
 chown -hR splunk /var 
 /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --no-prompt --accept-license --     answer-yes 
 sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto- ports --no-prompt --accept-license --answer-yes 
 /opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER:8089\" --accept-license --     answer-yes --auto-ports --no-prompt  -auth admin:changeme
  cd /opt/splunkforwarder/etc/system/local/ touch inputs.conf
  cd /opt/splunkforwarder/etc/system/local/ touch outputs.conf
 echo -e $OUTPUTS > outputs.conf
 echo -e $INPUTS > inputs.conf
 /opt/splunkforwarder/bin/splunk restart
 else echo 'Seems that your machine is not connected with internet, before to procede be sure     that the installation file is on your machine'; fi

 echo "---------------------------"
echo "Done"