Getting Data In

Splunk Enterprise installation fails using official docker image on kubernetes with "Login failed"

Explorer

We are trying to run Splunk Enterprise on Kubernetes. We have a Helm chart that uses the official docker image (currently 7.1.2). We are using the following env vars to initialize Splunk:

          env:
            - name: SPLUNK_START_ARGS
              value: "--accept-license --answer-yes --seed-passwd ourpassword"
            - name: SPLUNK_USER
              value: root
            - name: SPLUNK_ENABLE_LISTEN
              value: "9997"
            - name: SPLUNK_ADD
              value: tcp 1514

Splunk appears to start and displays the message

Waiting for web server at http://127.0.0.1:8000 to be available..... Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://container-name:8000

and then a moment later we get the message

Login failed
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
...
Stopping splunk helpers...

Done.

What login is failing? What do we need to do to correct this?

0 Karma
1 Solution

Communicator

It is a known issue - https://github.com/splunk/docker-splunk/issues/62
It has a hardcoded login and password admin:changeme, that is used for several commands, including SPLUNK_ENABLE_LISTEN, see https://github.com/splunk/docker-splunk/blob/master/enterprise/entrypoint.sh#L103

Workarounds are:
1. use changeme as a seed password
2. Do not use environment variables for configuration.
3. Build your own image.
4. Wait a week to see what's new is coming after .conf18 (there are will be some announcements for the docker image).

View solution in original post

New Member

My answer should be valid for Docker image version(s): splunk/splunk:7.3.3(-redhat)
I've noticed this in entrypoint.sh and and the message during container startup which led me into "SPLUNK_PASSWORD" env. var.

    then
        echo "WARNING: No password ENV var.  Stack may fail to provision if splunk.password is not set in ENV or a default.yml"
    fi

This set of environment variables worked for me:

      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_ENABLE_LISTEN: 9997
      SPLUNK_ADD: tcp 1514
      SPLUNK_USER: root
      #if custom admin password, env var required for >= 7.3.x
      SPLUNK_PASSWORD: your-custom-password
0 Karma

Communicator

It is a known issue - https://github.com/splunk/docker-splunk/issues/62
It has a hardcoded login and password admin:changeme, that is used for several commands, including SPLUNK_ENABLE_LISTEN, see https://github.com/splunk/docker-splunk/blob/master/enterprise/entrypoint.sh#L103

Workarounds are:
1. use changeme as a seed password
2. Do not use environment variables for configuration.
3. Build your own image.
4. Wait a week to see what's new is coming after .conf18 (there are will be some announcements for the docker image).

View solution in original post

Explorer

I changed my config to
env:
- name: SPLUNK_START_ARGS
value: "--accept-license --answer-yes --seed-passwd changeme"
- name: SPLUNK_USER
value: splunk
- name: SPLUNK_ENABLE_LISTEN
value: "9997"
- name: SPLUNK_ADD
value: tcp 1514

and everything started working

Motivator

Hey@ajna,

Can you try checking the internal logs of splunk for any error.
The path for it is: $SPLUNK_HOME$/var/log/splunk
You need to check splunkd.log

0 Karma

Explorer

I found this in the logs

AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
0 Karma