Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- what is ExecStartPost in systemd unit itended for?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is ExecStartPost in systemd unit itended for?
Hi all,
When creating a systemd unit file for and old UF (<9.1) using "splunk enable boot-start -systemd-managed 1 -user .. "
a systemd file is created with content:
[Service]
ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/memory/system.slice/%n"This is also documented in here:
In "Reference unit file template".
Does anyone have an idea why this is done? The paths are using cgroupv1 which only exists on old linux systems, on up-to-date systems this chown fails, but service starts anyway.
When creating a systemd config with recent UFs these ExecStartPost Parameters are not set anymore.
BUT when installing Splunk Enterprise this line is set in systemd unit
ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/system.slice/%n"AFAIK splunk core uses cgroups for Workspace Management, but not on UF.
Is the reference unit file template for UF just old&false and the settings never had a sense or is there any good reason?
thanks for your help and best regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @schose
I believe that WLM configuration existed (but not supported/fully implemented) in UF <9.x (You can confirm exact versions by checking for existence of workload_policy.conf, workload_pools.conf & workload_rules.conf files).
This led to SPL-224264 which caused some failures starting UF 9.x when upgrading from 8.x where the startup script contained the ExecStartPost commands you referenced.
I believe this should be fixed in a later 9.0.x and 9.1.x version but cannot find the exact version at the moment.
As a workaround for this users should disable and re-enable boot-start.
I have also submitted feedback regarding the Reference unit file template in the docs which obviously hasnt been updated the reflect the change when they removed the WLM configurations from UF.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think Splunk might have used same template for the enterprise and UF in older versions. This setting is mainly for workload management feature in Splunk Enterprise which is not relevant for UF.
That's the reason I think they have removed the same on newer UF's.
Also if you are still using any older UF's, removing those lines or commenting them can suppress the errors it throws.
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
