I am trying to run the universal forwarder in OpenShift which by default doesn't allow containers to run with a privileged account.
I have read other threads related to this, but none of them provide a solution.
When I run the splunk universal forwarder image like so:
docker run --rm -it -u 1001 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=pwd -e SPLUNK_HOST=splunkhost:9997 -e SPLUNK_INDEX_NAME=sample splunk/universalforwarder:7.3-redhat
I get this output:
sh: /opt/container_artifact/splunk-container.state: Permission denied
ERROR: Couldn't read "/opt/splunkforwarder/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?
You'll need to update your Makefile and rebuild your Docker image.
I've just recently answered a similar question that should help you: