Deployment Architecture

Unable to install Splunk 6.3.0 on RedHat 6.4 via rpm with error "can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission Denied)"

edrivera3
Builder

Hi

I tried the rpm installation in a RedHat 6.4 and I got the following output:

Warning: splunk-6.3.0 .... Signature, key ID 653fb112: NOKEY
Error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission Denied)

Do I need to be root for Splunk Installation? If so, do I need to have always root access for changing configuration files, restarting Splunk, etc ??

Thanks,

1 Solution

muebel
SplunkTrust
SplunkTrust

Hi edrivera3, I expect that you will need to be root in order to install Splunk. However, you can have splunk run as another user (usually the user Splunk) by running

$SPLUNKHOME/bin/splunk enable boot-start -user splunk

You will then want to do a chown -r splunk:splunk on $SPLUNKHOME

Keep in mind, if you don't run as root you can have issues with reading some files, so make sure this works for you, or if you can adjust the permissions on the files (or the splunk user group membership) in order to get the inputs you need.

Let me know if this helps!

View solution in original post

highsplunker
Contributor

From root

step 0: created Linux user named "splunk"
step 1: created folder /opt/splunk/
step 2: installed the Splunk distribution to /opt/splunk/
step 3: changed the owner of /opt/splunk/ to "splunk" user

0 Karma

triest
Communicator

To install RPM's you will need to be root (short version; see below). This isn't specific to Splunk, but a general rule for every RPM based distribution I've used.

If you really need to install Splunk without having root access, you can use the tared distribution; you won't be able to install the init script to start it on boot without root, however.

Long Version:
I don't have a RedHat 6.4 system handy, but I have a 6.6 system and if I do ls -al /var/lib/rpm/ I notice that:

  1. The /var/lib/rpm directory and all files and sub-directories are owned by root:root (technically uid: 0 gid: 0)
  2. The directory has 0744 permissions (rwxr--r--), so only the owner can write to it

Thus by default the permissions would prevent a user other than root from installing RPM's. You could work around this by changing permissions, making another uid 0 account etc, but I would advice against it.

If you think about it more generally, ideally all software on RedHat would be installed / managed via RPM's. The only user then who we are confident has write access to all the files that might need updating is the root user (okay the UID 0 user if you want to rename root).

Aside:
Running Splunk as a user other than root is highly recommended. The RPM distributed by Splunk creates a Splunk user/group that owns the files in $SPLUNK_HOME so its very easy to do. Since its not obvious you would need to be root to install an RPM, I'm assuming you aren't an experience Unix admin (although I could be wrong; we all have our days), so just be aware that if you want Splunk to read system logs (/var/log/*) and you're not running it as root, you may need to adjust the file permissions (e.g. /var/log/secure is owned by root:root with 0600 permissions by default).

muebel
SplunkTrust
SplunkTrust

Hi edrivera3, I expect that you will need to be root in order to install Splunk. However, you can have splunk run as another user (usually the user Splunk) by running

$SPLUNKHOME/bin/splunk enable boot-start -user splunk

You will then want to do a chown -r splunk:splunk on $SPLUNKHOME

Keep in mind, if you don't run as root you can have issues with reading some files, so make sure this works for you, or if you can adjust the permissions on the files (or the splunk user group membership) in order to get the inputs you need.

Let me know if this helps!

edrivera3
Builder

Thanks muebel. It was very helpful.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...