Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is deployment of new indexes.conf via serverclass setting incorrect group ID in NIS+ environment?

pkeller
Contributor
‎08-26-2014 12:34 PM

I'm using splunk 6.1.3 with a deployment server.
I distribute indexes.conf to my indexers via an indexer serverclass.

When the deployment client receives the updated indexes.conf, the client creates the new directory ... ie: /indexes/test/colddb and /indexes/test/db

The problem though, is that while the owner of those directories is the right user (splunk), the group affinity is always root, and that index is not writeable until I manually change it to the default group that splunk is associated with.

This is a NIS+ environment and I'm wondering if that's causing me a problem. I have added the splunk user to /etc/passwd and the associated group to the /etc/group file ... but the problem still persists.

total 16
drwx------ 4 splunk root 4096 Aug 26 19:23 .
drwxr-xr-x 7 splunk service 4096 Aug 26 19:23 ..
drwx------ 2 splunk root 4096 Aug 26 19:23 colddb
drwx------ 3 splunk root 4096 Aug 26 19:23 db

Is there an issue with Splunk being able to operate in a NIS+ environment?

Thank you.

0 Karma
Reply

pkeller
Contributor
‎08-26-2014 03:17 PM

Ok ... So this appears to have nothing to do with NIS+ but more to do with the way 'enable boot-start -user splunk' sets up init.d/splunk. splunk-launch.conf specifies the user that Splunk will run as, but I believe that because 'service splunk start' gets executed as root, the effective group ID that gets set at startup time is root ...

I have no problem if I run: sudo -u splunk $SPLUNK_HOME/bin/splunk start
Or, if I modify /etc/init.d/splunk to precede the start/stop/status and restart commands with:

/bin/su - splunk -c ... ie:

/bin/su - splunk -c "/apps/splunk/bin/splunk stop"

I would consider this a bug though. Not sure how others feel about that.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎12-18-2014 04:32 PM

Yes, this is a defect in early 6.1.x with how the SPLUNK_OS_USER feature was implemented. It has been fixed in current releases.

Essentially, if $SPLUNK_HOME/etc/splunk-launch.conf says the user should be 'splunk' but you run it as root, it tries to become splunk user. There was a flaw in how this was done that has been remedied.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...