Deployment Architecture

Recieving error "Access is denied" when trying to deploy 'splunk apply shcluster-bundle'?

frankwayne
Path Finder

I have a Windows 2012 R2 server with UAC disabled.
I've just installed Splunk Enterprise, placed an app in the $SPLUNK_HOME/etc/shcluster/apps/ directory,
and tried to deploy a bundle:

>splunk apply shcluster-bundle -target https://searchhead:8089
 Warning: Depending on the configuration changes being pushed, this command migh
t initiate a rolling restart of the cluster members.  Please refer to the docume
ntation for the details. Do you wish to continue? [y/n]: y
Your session is invalid.  Please login.
Splunk username: admin
Password:
Error while creating deployable apps: Error moving tmp_staging_area="C:\Program
Files\Splunk\var\run\splunk\deploy.9f0aa64b5fe19f35.tmp" to dst="C:\Program File
s\Splunk\var\run\splunk\deploy": Access is denied.

Has anyone else seen this behavior?

0 Karma
1 Solution

vinaypradhan
Explorer

Run the apply shcluster-bundle in 2 stages.
First run with -action stage
splunk apply shcluster-bundle -target https://xx.xx.xx.xx:8089 -auth admin:password -action stage
and then run
splunk apply shcluster-bundle -target https://xx.xx.xx.xx:8089 -auth admin:password -action send
this should fix it

this error has nothing to do with any file permissions

0 Karma

martin_hempstoc
Explorer

I had the exact same error on a linux box. The issue was a file permissions issue where the current user had read access but not write access to

$Splunk_home\var\run\splunk\deploy

Looks like this could be possibly related.

0 Karma

Sourabhv05
Communicator

did you find any solution to this? I am facing same issue as well.

0 Karma

frankwayne
Path Finder

No, I'm afraid not. I will be redeploying all my indexers, search heads and the cluster master as Redhat instead. I will put the deployer on the cluster master, instead. I guess the Windows situation must remain a Splunk mystery.

0 Karma

kundeng
Path Finder

Hi, I have the same issue. Documentation did not say the deployer has to be linux. Can anyone using windows deployer confirm it works? Maybe it's a configuration issue with windows 2012 server?

martin_mueller
SplunkTrust
SplunkTrust

The documentation is pretty clear on not supporting Windows, and it explicitly mentions the deployer: http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements#Operating_system_...

All search head cluster members and the deployer must run on the same operating system. 
If the search head cluster is connected to an indexer cluster, then the indexer cluster instances must run on the same operating system as the search head cluster members. 

Search head clustering is available on the following operating systems: 

•Linux 
•Solaris 
Splunk does not currently support search head clustering on Windows systems. 

frankwayne
Path Finder

Vielen dank, Martin. That settles it.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Update for 6.3: The docs now support SHC on all Enterprise-supported operating systems: http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/SHCsystemrequirements

frankwayne
Path Finder

Thank you for your reply, Martin. At first glance, your answer seemed right. However, as I look further, I'm not convinced.

The deployer in my case is not a cluster member (indeed, it cannot be a cluster member) and therefore is not subject to the restrictions on search head cluster members. You can see that the requirements for the deployer (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/SHCsystemrequirements#Deployer_requirem...) include Windows. I am running the deployer on my deployment server, which I want to be a Windows server.

I was not aware that Windows search head clusters are not supported. They are certainly configurable since I have a cluster with two Windows search heads. I will have to redeploy them as Linux servers.

However, I think (based on the documentation) that the Windows deployer should work. Am I missing something else?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...