- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Per the instructions found here in the splunkbase and here, I tried to use the 'setcap' command. I can't quite get it to work. Modifying /opt/splunk/bin/splunk does not allow splunk to bind to the admin ports. Trying to setcap /opt/splunk/bin/python2.6 causes python to loose access to the local python modules.
Is there a documented way to use Linux Capabilities to allow a non-root Splunk system to listen on 443 and 514?
first test of setcap, noting changed but permissions of bin/splunk
cps@sea-splunk01:/opt/splunk/bin$ setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
unable to set CAP_SETFCAP effective capability: Operation not permitted
cps@sea-splunk01:/opt/splunk/bin$ sudo !!
sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation
The Splunk web interface is at http://sea-splunk01:8000
ok, this all works, so I'm going to try modifiying to use port 443 and restart
cps@sea-splunk01:/opt/splunk/etc$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Error starting splunkweb.
Hmmm, it saw that 443 was open, but couldn't bind it. Rats. Change back to 8443 for now, and restart.
Let's try modifying bin/python2.6, and see what happens
cps@sea-splunk01:/opt/splunk/bin$ sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/python2.6
cps@sea-splunk01:/opt/splunk/bin$
cps@sea-splunk01:/opt/splunk/bin$
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [8443]: open
Checking mgmt port [8089]: open
Traceback (most recent call last):
File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli.py", line 17, in <module>
import splunk.clilib.cli_common as comm
File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli_common.py", line 6, in <module>
import lxml.etree as etree
ImportError: libxslt.so.1: cannot open shared object file: No such file or directory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot use setcap to grant the capability to splunkd or python in any meaningful way. Processes in linux that are run with escalated privileges cannot use a LD_LIBRARY_PATH which is essential. Your best bet is one of the suggestions from http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Method 3 works perfect for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easiest method I found was to use the iptables method of port redirection.
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables-save
Then configure httpport = 8443 in web.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot use setcap to grant the capability to splunkd or python in any meaningful way. Processes in linux that are run with escalated privileges cannot use a LD_LIBRARY_PATH which is essential. Your best bet is one of the suggestions from http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I did check that. Execution works flawlessly if I remove the capabilities permissions.
I did discover the capable_probe kernel module here[1], and I was able to discover that splunkd requests the permissions first. I modified splunkd permisions, and ran into the same issue, that splunkd no longer looked in /opt/splunk/lib for dynamic libraries.
However, splunkweb will not start, even when splunkd can find them. I opened a similar question with Ubuntu, 119518 [2] also.
[1] http://www.friedhoff.org/downloads.html
[2] https://answers.launchpad.net/ubuntu/+source/libcap2/+question/119158
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you ensured that all files in the Splunk directory are owned and accessible by Splunk and not just by root?
