Installation

Issue with .RPM package to install splunk enterprise on Linux server

suryasrini
New Member

Hi

We are trying to deploy and install splunk enterprise edition. We have downloaded .tgz file from the portal.
As per the procedure here, we are supposed to create .rpm package of splunk enterprise edition and should be installed through the tool SPUDs on splunk server.

We created the .rpm package and deployed through SPUDS and installed on splunk server successfully.

But the issue is we are unable to start the splunk services. When we tried below is the warning message

[splunkuser@server:[IT] ~/splunk/bin]$ ./splunk start --accept-license
Warning: cannot create "/cr/splunkuser/splunk/var/log/splunk"
Warning: cannot create "/cr/splunkuser/splunk/var/log/introspection"
This appears to be your first time running this version of Splunk.
Could not open log file "/cr/splunkuser/splunk/var/log/splunk/first_install.log" for writing (13).

What we understood, splunk was installed as root user and below is the reference.

drwx--x--- 6 root root 52 Sep 18 10:48 var

We would like to understand, how to change the user from root to splunkuser after the splunk installation in the script

We do not have root permissions and using service account "splunkuser" with sudo and would like to install splunk in the path

/cr/splunkuser

My colleague suggest to change user from root to services account in the post installation portion in the script
Please find below the .rpm script we wrote and suggest us where to change the user from root to splunkuser.

%pre
if [ $1 == 2 ];then
/cr/splunkuser/splunk/bin/splunk stop
fi

%install
rm -rf $RPM_BUILD_ROOT
pwd
mkdir -p $RPM_BUILD_ROOT
cp -Rp cs $RPM_BUILD_ROOT
exit 0

%post
if [ $1 == 1 ];then

/cr/splunkuser/splunk/bin/splunk start --accept-license
/cr/splunkuser/splunk/bin/splunk enable boot-start

fi

%preun
if [ $1 == 0 ];then
/cr/splunkuser/splunk/bin/splunk stop
fi

%postun

%posttrans

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,splunkuser,splunkuser ,-)
/cr/splunkuser/splunk

%doc

%changelog

Thanks&Regards
Srinivas

Tags (1)
0 Karma

kgderrekchapin
Path Finder

To resolve an already installed directory you'll have to ask the system admin to chown -R splunkuser:splunk

For the future I would do one of two things.

1) Ask that a sudoers rule be put in place for the splunk user to "sudo yum install splunk"
2) ask that the RPM file run a chown on the $RPM_BUILD_ROOT to splunkuser:splunk

Separately I would use a sudo command to start splunk as the splunk user for the first run and seed the password. You can find how to do that towards the bottom of this doc.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Installation/StartSplunkforthefirsttime

Good Luck!

-Derrek

0 Karma

Richfez
SplunkTrust
SplunkTrust

Well, first off I don't know that this is really a Splunk question. It's probably why you haven't gotten an answer yet.

But that's OK. 🙂

I'd ask the people responsible for making you follow this process:
- "Where is the RPM installation template for installing as root but chown'ing to a different user?"

You can't fix this because you don't have root permissions to run the chown that you need, so that rpm installation template ... "thing" ... needs to provide this capability.

I'm sure it's actually pretty easy, but my point is that they should have this solved already so there should be no reason you should have to go out and 'discover' your own solution for a chmod in that installer.

If it were me, and they plead that they don't know and that" it's your responsibility", I'd a) nicely raise it up to your boss, b) ask for an exception and c) start looking for a new job while you are still in good spirits before you get so burnt out from politics that you just rage quit one day.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...