Getting Data In

Run universal forwarder in Docker as unprivileged account

adamstortz
Engager

I am trying to run the universal forwarder in OpenShift which by default doesn't allow containers to run with a privileged account.

I have read other threads related to this, but none of them provide a solution.

When I run the splunk universal forwarder image like so:
docker run --rm -it -u 1001 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=pwd -e SPLUNK_HOST=splunkhost:9997 -e SPLUNK_INDEX_NAME=sample splunk/universalforwarder:7.3-redhat

I get this output:

sh: /opt/container_artifact/splunk-container.state: Permission denied
ERROR: Couldn't read "/opt/splunkforwarder/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

Tags (2)

codebuilder
Influencer

You'll need to update your Makefile and rebuild your Docker image.

I've just recently answered a similar question that should help you:

https://answers.splunk.com/answers/789462/docker-image-search-cluster-configuration-fails-in.html?ch...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...