Deployment Architecture

Errors running enable boot-start with specific user on a Search Head with pooling config

theunf
Communicator

Hi all,

I´m running a Lab with two Search Heads on a pool using a third server as NFS mount point.

Everything is working fine, users e apps being synchronized almost instantaneously but when I used the splunk enable boot-start -user splunk it returned a lot of errors :

splunk@SearchHead01:/opt/splunk/bin$ sudo ./splunk enable boot-start -user splunk
ERROR IniFile - Cannot open file=/mnt/pooling/etc/pooling/pooling.ini for parsing: Permission denied
ERROR SearchHeadPoolInfo - Error reading search head pool info: Error reading search head pool info /mnt/pooling/etc/pooling/pooling.ini: Permission denied
ERROR UsernameMapper - Cannot create directory: /mnt/pooling/etc/users: Permission denied
ERROR UsernameMapper - Cannot create username mapping file: /mnt/pooling/etc/users/users.ini: Permission denied
ERROR IniFile - Cannot open file=/mnt/pooling/etc/users/users.ini for parsing: Permission denied
ERROR UsernameMapper - Error opening username mapping file: /mnt/pooling/etc/users/users.ini
ERROR IniFile - Cannot open file=/mnt/pooling/etc/pooling/pooling.ini for parsing: Permission denied
ERROR SearchHeadPoolInfo - Error reading search head pool info: Error reading search head pool info /mnt/pooling/etc/pooling/pooling.ini: Permission denied
ERROR UsernameMapper - Cannot create directory: /mnt/pooling/etc/users: Permission denied
ERROR UsernameMapper - Cannot create username mapping file: /mnt/pooling/etc/users/users.ini: Permission denied
ERROR IniFile - Cannot open file=/mnt/pooling/etc/users/users.ini for parsing: Permission denied
ERROR UsernameMapper - Error opening username mapping file: /mnt/pooling/etc/users/users.ini
ERROR IniFile - Cannot open file=/mnt/pooling/etc/pooling/pooling.ini for parsing: Permission denied
ERROR SearchHeadPoolInfo - Error reading search head pool info: Error reading search head pool info /mnt/pooling/etc/pooling/pooling.ini: Permission denied
ERROR UsernameMapper - Cannot create directory: /mnt/pooling/etc/users: Permission denied
ERROR UsernameMapper - Cannot create username mapping file: /mnt/pooling/etc/users/users.ini: Permission denied
ERROR IniFile - Cannot open file=/mnt/pooling/etc/users/users.ini for parsing: Permission denied
ERROR UsernameMapper - Error opening username mapping file: /mnt/pooling/etc/users/users.ini
ERROR IniFile - Cannot open file=/mnt/pooling/etc/pooling/pooling.ini for parsing: Permission denied
ERROR UsernameMapper - Cannot create directory: /mnt/pooling/etc/users: Permission denied
ERROR UsernameMapper - Cannot create username mapping file: /mnt/pooling/etc/users/users.ini: Permission denied
ERROR IniFile - Cannot open file=/mnt/pooling/etc/users/users.ini for parsing: Permission denied
ERROR UsernameMapper - Error opening username mapping file: /mnt/pooling/etc/users/users.ini
 Adding system startup for /etc/init.d/splunk ...
   /etc/rc0.d/K20splunk -> ../init.d/splunk
   /etc/rc1.d/K20splunk -> ../init.d/splunk
   /etc/rc6.d/K20splunk -> ../init.d/splunk
   /etc/rc2.d/S20splunk -> ../init.d/splunk
   /etc/rc3.d/S20splunk -> ../init.d/splunk
   /etc/rc4.d/S20splunk -> ../init.d/splunk
   /etc/rc5.d/S20splunk -> ../init.d/splunk
Init script installed at /etc/init.d/splunk.

The weird solution was to set 777 on folder permissions at NFS server or add root to splunk group.

After that, the command runs normally but a lot of files were created under /mnt/pooling/etc/.

Those errors and the need of extra permissions is a limitation of a bug ?
Which files should reside on the mouting point ?

0 Karma

theunf
Communicator

Boot-start scripts from newest buils start splunk directy and sub-processes follow SPLUNK_OS_USER directive at $SPLUNK_HOME/etc/splunk-launch.conf but it does not bind a GroupID to the process.

So any file that´s created or changed will be saved and owned by :root .

To solve it I start using old Splunk startup script which starts splunk using su command :

RUNAS=splunk
SPLUNK_HOME=/splunk_bin/splunk

splunk_start() {
echo Starting Splunk...
if [ "$RUNAS" = "" ]; then
"$SPLUNK_HOME/bin/splunk start" --no-prompt --answer-yes
RETVAL=$?
else
su -c "$SPLUNK_HOME/bin/splunk start --no-prompt --answer-yes" $RUNAS
RETVAL=$?
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
}

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...