Getting Data In

Run universal forwarder in Docker as unprivileged account

Engager

I am trying to run the universal forwarder in OpenShift which by default doesn't allow containers to run with a privileged account.

I have read other threads related to this, but none of them provide a solution.

When I run the splunk universal forwarder image like so:
docker run --rm -it -u 1001 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=pwd -e SPLUNK_HOST=splunkhost:9997 -e SPLUNK_INDEX_NAME=sample splunk/universalforwarder:7.3-redhat

I get this output:

sh: /opt/container_artifact/splunk-container.state: Permission denied
ERROR: Couldn't read "/opt/splunkforwarder/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

Tags (2)

Motivator

You'll need to update your Makefile and rebuild your Docker image.

I've just recently answered a similar question that should help you:

https://answers.splunk.com/answers/789462/docker-image-search-cluster-configuration-fails-in.html?ch...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!