I have been trying to get the Splunk Remote Upgrader for Linux Universal Forwarders 1.0.3 app to work and upgrade our UFs.

The UFs are installed on a supported version of Rocky Linux (9) and we used the .tgx file to install and upgrade the UFs to 9.4.7. The UFs are running as the "splunk" user using the command below to set up and we set the splunk user to be able to read our resources okay.

splunk enable boot-start -systemd-managed 1 -user splunk

Now, when I use the new app on some of my UFs to Splunk 9.4.8/9, etc, the upgrade seems to complete, but Splunk refuses to start up 3 times and then it rolls back the upgrade to 9.4.7.

In the history folder, I see that the logs look for the System Unit file (/etc/systemd/system/SplunkForwarder.service) and if it exists, then the Upgrader assumes that the user running Splunk is root:root and then uses chown -R root:root to the Splunk folder and then the splunk user does not have access to the folder and the start fails. The section in the splunk_util.sh where I found this is:

        if [ -f "$SPLUNK_CUSTOM_UNIT_FILE_PATH" ] || [ -f "$SPLUNK_DEFAULT_UNIT_FILE_PATH" ]; then

            # if any unit file exists, must run splunk as root/sudo

            print_info "Found Splunk unit file. Will start Splunk as ROOT/SUDO."

            splunk_user="root"

It is not true that if the System Unit file (SplunkForwarder.service) exists, then root must be running Splunk - it contains the lines below that tell systemd to start Splunk as the splunk user and the Upgrader should be looking into the file itself to find the real user.

User=splunk

Group=splunk
root is the user who has access to run "systemctl restart SplunkForwarder", but Splunk is not running as root and never has.

If I can stop the process and prevent the Upgrader from rolling back to 9.4.7, then I can run a disable boot-start and then do a enable boot-start and it works, but that is a hack, personally?!