Per the instructions found here in the splunkbase and here, I tried to use the 'setcap' command. I can't quite get it to work. Modifying /opt/splunk/bin/splunk does not allow splunk to bind to the admin ports. Trying to setcap /opt/splunk/bin/python2.6 causes python to loose access to the local python modules.
Is there a documented way to use Linux Capabilities to allow a non-root Splunk system to listen on 443 and 514?
cps@sea-splunk01:/opt/splunk/bin$ setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
unable to set CAP_SETFCAP effective capability: Operation not permitted
cps@sea-splunk01:/opt/splunk/bin$ sudo !!
sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation
The Splunk web interface is at http://sea-splunk01:8000
cps@sea-splunk01:/opt/splunk/etc$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Error starting splunkweb.
cps@sea-splunk01:/opt/splunk/bin$ sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/python2.6
cps@sea-splunk01:/opt/splunk/bin$
cps@sea-splunk01:/opt/splunk/bin$
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [8443]: open
Checking mgmt port [8089]: open
Traceback (most recent call last):
File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli.py", line 17, in <module>
import splunk.clilib.cli_common as comm
File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli_common.py", line 6, in <module>
import lxml.etree as etree
ImportError: libxslt.so.1: cannot open shared object file: No such file or directory
You cannot use setcap
to grant the capability to splunkd
or python
in any meaningful way. Processes in linux that are run with escalated privileges cannot use a LD_LIBRARY_PATH
which is essential. Your best bet is one of the suggestions from http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege....
Method 3 works perfect for me.
Easiest method I found was to use the iptables method of port redirection.
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables-save
Then configure httpport = 8443 in web.conf
You cannot use setcap
to grant the capability to splunkd
or python
in any meaningful way. Processes in linux that are run with escalated privileges cannot use a LD_LIBRARY_PATH
which is essential. Your best bet is one of the suggestions from http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege....
Yes, I did check that. Execution works flawlessly if I remove the capabilities permissions.
I did discover the capable_probe kernel module here[1], and I was able to discover that splunkd requests the permissions first. I modified splunkd permisions, and ran into the same issue, that splunkd no longer looked in /opt/splunk/lib for dynamic libraries.
However, splunkweb will not start, even when splunkd can find them. I opened a similar question with Ubuntu, 119518 [2] also.
[1] http://www.friedhoff.org/downloads.html
[2] https://answers.launchpad.net/ubuntu/+source/libcap2/+question/119158
Have you ensured that all files in the Splunk directory are owned and accessible by Splunk and not just by root?