Getting Data In
Highlighted

Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Communicator

Hi everyone,

I created a script to install the splunkforwarder on the clients.
The script is called on the main indexer and manages all the clients, but I'm logged in using ssh as root, so:

root@x.x.x.x

During the execution of the script, I'm creating a new user "splunk":

adduser splunk

and I assign the owner permissions of Splunk at the user:

chown -hR splunk /opt/splunk

Next I stop splunk and I do:

sudo -i -u splunk 

To access as the new user and I restart Splunk.
Executing the command whoami, I'm still running Splunk as root. I have tried to execute all the same commands manually, from the terminal, and they were correctly working.
I think is there some trouble changing the user, so in the last comment above.
What can I do?
Let me know, thank you

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Esteemed Legend

The command whoami does not do what you think it does. It just says "what user identity am I using right now", not "what user is the process running". You need to do this:

ps -ef | grep splunkd

You should see something like this:

splunk    17145     1  1 Jul29 ?        01:21:01 splunkd -p 8089 restart

But if that is not the problem...

This all looks correct and, as you say, it works when you run it manually. So the problem has to be in your script (duh!). Are you checking all error codes after each step ($?)? Are you using the full path name for each command (eg. /usr/sbin/useradd, not just useradd)? Are you certain that your update script is being run as user root (you can check this as the first thing the script does)?

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Communicator

I try the command and splunk is actually running as root : (
I'm typing adduser splunk nothing else, and I'm executing only one step:

  root@x.x.x.x "command list"

where in command list there are:

useradd splunk
chown -hR splunk /opt/splunk
/opt/splunk/bin stop
sudo -i -u splunk
/opt/splunk/bin start

So I dunno what's wrong, and thank you for the help

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Esteemed Legend

Your last 2 commands should be this instead:

sudo -u splunk /opt/splunk/bin/splunk start
0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Communicator

I tried to use this last command but when I use

  ps -ef | grep splunkd

It's running under root again..

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Esteemed Legend

Run the ps -ef command after you do the stop command; maybe the stop command is failing. Are you checking return codes after each step?

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Communicator

Ok, so your system is working fine if I'm not using ssh, If I log using ssh it's not changing user.
I have another question, during the installation I have this error:
Can't create directory "/root/.splunk": Permission denied

I think it's still related to the user, do you have any ideas why?

Thank you so much for your help : )

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Esteemed Legend

What do you mean by "installation"? Are you using a tarball? What is your installation command? Why are we being so vague? Just list out exactly what is in your script, line-by-line and maybe we can get somewhere.

0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Communicator

Yes, sorry, this is the script:

  #!/bin/sh
  INSTALL_FILE="splunkforwarder-6.2.3-264376-Linux-x86_64.tgz"
  #The script doesn't require the creation of a public pair ssh key
  # After installation, the forwarder will become a deployment client the passed argument $1
  # Specify the host and management (not web) port of the deployment server
  # that will be managing these forwarder instances.
 DEPLOY_SERVER="$1"
  #outputs.conf
  OUTPUTS='[tcpout]\n
  defaultGroup= default-autolb-group\n\n

 [tcpout:default-autolb-group]\n\n
 server = $DEPLOY_SERVER:9997\n\n

 [tcpout-server://$DEPLOY_SERVER:9997]'
 #Input to monitor needs to be changed
 INPUTS='[monitor:///var/log/*]\n
 sourcetype=syslog\n
host_segment=3\n
index=test\n\n
 [monitor:///var/log/messages]\n
 sourcetype=syslog\n
 host_segment=3\n
 index=test\n\n
 [monitor:///var/log/lastlog]\n
 sourcetype=syslog\n
 host_segment=3\n
 index=test\n\n'

 echo 'checking network...'
 if wget -q 'http://www.splunk.com/bin/splunk/DownloadActivityServlet?       architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl      unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true' > /dev/null; 
  then wget -O splunkforwarder-6.2.3-264376-Linux-x86_64.tgz        'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true'> /dev/null; 
  tar xvzf splunkforwarder-6.2.3-264376-Linux-x86_64.tgz -C /opt
  useradd splunk 
  chown -R splunk /opt
 chown -hR splunk /var 
 /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --no-prompt --accept-license --     answer-yes 
 sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto- ports --no-prompt --accept-license --answer-yes 
 /opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER:8089\" --accept-license --     answer-yes --auto-ports --no-prompt  -auth admin:changeme
  cd /opt/splunkforwarder/etc/system/local/ touch inputs.conf
  cd /opt/splunkforwarder/etc/system/local/ touch outputs.conf
 echo -e $OUTPUTS > outputs.conf
 echo -e $INPUTS > inputs.conf
 /opt/splunkforwarder/bin/splunk restart
 else echo 'Seems that your machine is not connected with internet, before to procede be sure     that the installation file is on your machine'; fi

 echo "---------------------------"
echo "Done"
0 Karma
Highlighted

Re: Why is my installation script running Splunk as root instead of the new "splunk" user I created?

Champion

Ideally, you would make your script untar the package, create a user (or the other way round), chown the new directory to the user before starting splunk for the first time, start splunk as the new user with something like the already mentioned sudo -H -u splunk $SPLUNK_HOME/bin/splunk start --accept-license, and set the autostart to use that user as well with $SPLUNK_HOME/bin/splunk enable boot-start -user splunk - see here and here for docs.