Deployment Architecture

Why is the app or add-on installations, on a single instance Splunk Enterprise 7.1.2 on Linux, show as root user by default?

Path Finder

I have a single instance Splunk Enterprise 7.1.2 on Linux. I have used a non-root user "splunk" & group "splunk" to install Splunk. At the time of install i made sure to run "chown -R splunk:splunk /opt/splunk" command and verified all files/dirs are now owned by "splunk:splunk". I am noticing that whenever i install a new app or add-on , its owner is root:root by default. I have to manually run that chown command every time after i install an app or add-on & restart splunk.

I have looked at this thread https://answers.splunk.com/answers/481355/why-are-apps-installing-as-root-user-when-dir-is-n.html?ut...source=typeahead&utmmedium=newquestion&utmcampaign=novotessortrelev as per it, Is it because we are using "sudo $SPLUNK_HOME/bin/splunk restart" command to restart splunk after each app install which is causing splunk to restart as a root user ? What is the other way then ?

Anybody else using Splunk On Linux facing the same issue ?

Thanks
Neeraj

0 Karma
1 Solution

Esteemed Legend

Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root. Go to the CLI as root and do this:

/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start

Then you will be running as user splunk

View solution in original post

0 Karma

Esteemed Legend

Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root. Go to the CLI as root and do this:

/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start

Then you will be running as user splunk

View solution in original post

0 Karma

Ultra Champion

Just configure the desired OS user in etc/splunk-launch.conf (last line of that file already contains a placeholder for that setting, just uncomment and add the user name). That way, regardless of which user starts splunk, it always runs under the correct user.

0 Karma

Esteemed Legend

There is much more to it than that. See my answer.

0 Karma

Ultra Champion

Sounds more like a different way of doing things? I've never changed the init.d file, or appended the -user flag to the enable-boot command. Just set the user in the splunk-launch.conf and it always runs as the correct user. After boot, but also when you (accidentally) execute ./splunk restart while being root.

Edit, ah:

When 'splunk enable boot-start -user <u>' is invoked, SPLUNK_OS_USER is set to <u> as a side effect. 

So your approach also sets splunk-launch.conf OS user setting in the end.

0 Karma

Path Finder

When you are restarting Splunk by running "sudo $SPLUNKHOME/bin/splunk restart", essentially what you do is you restart splunk into root user. You can confirm that by "ps -aux | grep splunk". You first need to jump to splunk user: "sudo su splunk" and then $SPLUNKHOME/bin/splunk restart.

Path Finder

Thanks Mika. Upvote granted 🙂

0 Karma