I have a single instance Splunk Enterprise 7.1.2 on Linux. I have used a non-root user "splunk" & group "splunk" to install Splunk. At the time of install i made sure to run "chown -R splunk:splunk /opt/splunk" command and verified all files/dirs are now owned by "splunk:splunk". I am noticing that whenever i install a new app or add-on , its owner is root:root by default. I have to manually run that chown command every time after i install an app or add-on & restart splunk.
I have looked at this thread https://answers.splunk.com/answers/481355/why-are-apps-installing-as-root-user-when-dir-is-n.html?ut... as per it, Is it because we are using "sudo $SPLUNK_HOME/bin/splunk restart" command to restart splunk after each app install which is causing splunk to restart as a root user ? What is the other way then ?
Anybody else using Splunk On Linux facing the same issue ?
Thanks
Neeraj
Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root
. Go to the CLI as root
and do this:
/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start
Then you will be running as user splunk
Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root
. Go to the CLI as root
and do this:
/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start
Then you will be running as user splunk
Just configure the desired OS user in etc/splunk-launch.conf (last line of that file already contains a placeholder for that setting, just uncomment and add the user name). That way, regardless of which user starts splunk, it always runs under the correct user.
There is much more to it than that. See my answer.
Sounds more like a different way of doing things? I've never changed the init.d file, or appended the -user flag to the enable-boot command. Just set the user in the splunk-launch.conf and it always runs as the correct user. After boot, but also when you (accidentally) execute ./splunk restart while being root.
Edit, ah:
When 'splunk enable boot-start -user <u>' is invoked, SPLUNK_OS_USER is set to <u> as a side effect.
So your approach also sets splunk-launch.conf OS user setting in the end.
When you are restarting Splunk by running "sudo $SPLUNK_HOME/bin/splunk restart", essentially what you do is you restart splunk into root user. You can confirm that by "ps -aux | grep splunk". You first need to jump to splunk user: "sudo su splunk" and then $SPLUNK_HOME/bin/splunk restart.
Thanks Mika. Upvote granted 🙂