Getting Data In

Run universal forwarder in Docker as unprivileged account


I am trying to run the universal forwarder in OpenShift which by default doesn't allow containers to run with a privileged account.

I have read other threads related to this, but none of them provide a solution.

When I run the splunk universal forwarder image like so:
docker run --rm -it -u 1001 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=pwd -e SPLUNK_HOST=splunkhost:9997 -e SPLUNK_INDEX_NAME=sample splunk/universalforwarder:7.3-redhat

I get this output:

sh: /opt/container_artifact/splunk-container.state: Permission denied
ERROR: Couldn't read "/opt/splunkforwarder/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

Tags (2)


You'll need to update your Makefile and rebuild your Docker image.

I've just recently answered a similar question that should help you:

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!