Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Federica_92
Communicator
‎08-04-2015 06:04 AM

Hi everyone,

I created a script to install the splunkforwarder on the clients.
The script is called on the main indexer and manages all the clients, but I'm logged in using ssh as root, so:

root@x.x.x.x

During the execution of the script, I'm creating a new user "splunk": 

adduser splunk

and I assign the owner permissions of Splunk at the user:

chown -hR splunk /opt/splunk

Next I stop splunk and I do:

sudo -i -u splunk

To access as the new user and I restart Splunk.
Executing the command whoami, I'm still running Splunk as root. I have tried to execute all the same commands manually, from the terminal, and they were correctly working.
I think is there some trouble changing the user, so in the last comment above.
What can I do?
Let me know, thank you

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-05-2015 04:23 AM

Ideally, you would make your script untar the package, create a user (or the other way round), chown the new directory to the user before starting splunk for the first time, start splunk as the new user with something like the already mentioned sudo -H -u splunk $SPLUNK_HOME/bin/splunk start --accept-license, and set the autostart to use that user as well with $SPLUNK_HOME/bin/splunk enable boot-start -user splunk - see here and here for docs.

Reply

Federica_92
Communicator
‎08-05-2015 06:06 AM

sudo -H -u splunk is not working : (

I've already added 

 $SPLUNK_HOME/bin/splunk enable boot-start -user splunk
  $SPLUNK_HOME/bin/splunk start --accept-license

But seems like it's not changing user

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-05-2015 07:05 AM

You are doing this on a new machine, right?

I've done the above steps many times, and it works like a charm. Just don't start splunk while the directory is not yet owned by the splunk user and don't start it as root. Actually, I've always used su splunk for that, never that command (but it is mentioned in the docs so it should work - but see the notice about what the command assumes in the first link above).

0 Karma
Reply

woodcock
Esteemed Legend
‎08-04-2015 07:04 AM

The command whoami does not do what you think it does. It just says "what user identity am I using right now", not "what user is the process running". You need to do this:

ps -ef | grep splunkd

You should see something like this:

splunk    17145     1  1 Jul29 ?        01:21:01 splunkd -p 8089 restart

But if that is not the problem...

This all looks correct and, as you say, it works when you run it manually. So the problem has to be in your script (duh!). Are you checking all error codes after each step ($?)? Are you using the full path name for each command (eg. /usr/sbin/useradd, not just useradd)? Are you certain that your update script is being run as user root (you can check this as the first thing the script does)?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-04-2015 08:32 AM

Your last 2 commands should be this instead:

sudo -u splunk /opt/splunk/bin/splunk start
0 Karma
Reply

Federica_92
Communicator
‎08-05-2015 01:53 AM

I tried to use this last command but when I use 

  ps -ef | grep splunkd

It's running under root again..

0 Karma
Reply

woodcock
Esteemed Legend
‎08-05-2015 06:12 AM

Run the ps -ef command after you do the stop command; maybe the stop command is failing. Are you checking return codes after each step?

0 Karma
Reply

Federica_92
Communicator
‎08-07-2015 03:29 AM

Ok, so your system is working fine if I'm not using ssh, If I log using ssh it's not changing user.
I have another question, during the installation I have this error:
Can't create directory "/root/.splunk": Permission denied

I think it's still related to the user, do you have any ideas why?

Thank you so much for your help : )

0 Karma
Reply

woodcock
Esteemed Legend
‎08-08-2015 08:12 AM

What do you mean by "installation"? Are you using a tarball? What is your installation command? Why are we being so vague? Just list out exactly what is in your script, line-by-line and maybe we can get somewhere.

0 Karma
Reply

Federica_92
Communicator
‎08-10-2015 01:28 AM

Yes, sorry, this is the script:

  #!/bin/sh
  INSTALL_FILE="splunkforwarder-6.2.3-264376-Linux-x86_64.tgz"
  #The script doesn't require the creation of a public pair ssh key
  # After installation, the forwarder will become a deployment client the passed argument $1
  # Specify the host and management (not web) port of the deployment server
  # that will be managing these forwarder instances.
 DEPLOY_SERVER="$1"
  #outputs.conf
  OUTPUTS='[tcpout]\n
  defaultGroup= default-autolb-group\n\n

 [tcpout:default-autolb-group]\n\n
 server = $DEPLOY_SERVER:9997\n\n

 [tcpout-server://$DEPLOY_SERVER:9997]'
 #Input to monitor needs to be changed
 INPUTS='[monitor:///var/log/*]\n
 sourcetype=syslog\n
host_segment=3\n
index=test\n\n
 [monitor:///var/log/messages]\n
 sourcetype=syslog\n
 host_segment=3\n
 index=test\n\n
 [monitor:///var/log/lastlog]\n
 sourcetype=syslog\n
 host_segment=3\n
 index=test\n\n'

 echo 'checking network...'
 if wget -q 'http://www.splunk.com/bin/splunk/DownloadActivityServlet?       architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl      unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true' > /dev/null; 
  then wget -O splunkforwarder-6.2.3-264376-Linux-x86_64.tgz        'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true'> /dev/null; 
  tar xvzf splunkforwarder-6.2.3-264376-Linux-x86_64.tgz -C /opt
  useradd splunk 
  chown -R splunk /opt
 chown -hR splunk /var 
 /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --no-prompt --accept-license --     answer-yes 
 sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto- ports --no-prompt --accept-license --answer-yes 
 /opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER:8089\" --accept-license --     answer-yes --auto-ports --no-prompt  -auth admin:changeme
  cd /opt/splunkforwarder/etc/system/local/ touch inputs.conf
  cd /opt/splunkforwarder/etc/system/local/ touch outputs.conf
 echo -e $OUTPUTS > outputs.conf
 echo -e $INPUTS > inputs.conf
 /opt/splunkforwarder/bin/splunk restart
 else echo 'Seems that your machine is not connected with internet, before to procede be sure     that the installation file is on your machine'; fi

 echo "---------------------------"
echo "Done"
0 Karma
Reply

Federica_92
Communicator
‎08-04-2015 08:22 AM

I try the command and splunk is actually running as root : (
I'm typing adduser splunk nothing else, and I'm executing only one step:

  root@x.x.x.x "command list"

where in command list there are:

useradd splunk
chown -hR splunk /opt/splunk
/opt/splunk/bin stop
sudo -i -u splunk
/opt/splunk/bin start

So I dunno what's wrong, and thank you for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...