Security

Starting Splunk Universal Forwarder as non-root

leeraym
Path Finder

I've installed Splunk Universal Forwarder 4.2.1 on Solaris 10 (x86 and SPARC), but I can't get them to run as a non-root user. I followed the instructions at http://www.splunk.com/base/Documentation/latest/installation/RunSplunkasadifferentornon-rootuser to chown $SPLUNK_HOME and set the splunk user privs, but I get the following errors when trying to run Splunk as the splunk user:

$ id

uid=40104(splunk) gid=144(splunk)
$ /opt/splunkforwarder/bin/splunk start --accept-license

This appears to be your first time running this version of Splunk.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
Abort - core dumped

Splunk> Finding your faults, just like mom.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28316 terminated with signal 6 (core dumped)
Checking conf files for typos...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28317 terminated with signal 6 (core dumped)
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/general [1] [/opt/splunkforwarder/etc]
ERROR: pid 28325 terminated with signal 6 (core dumped)

Timed out waiting for splunkd to start.

Any ideas? I didn't have this problem when trying on an Ubuntu server with Splunk Universal Forwarder 4.2.

Thanks,
Ray

Tags (4)
1 Solution

Ellen
Splunk Employee
Splunk Employee

This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3

As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.

The fix will be addressed in a forthcoming maintenance release.

Reference to this can also be found in the Release Notes Known Issues

View solution in original post

Ellen
Splunk Employee
Splunk Employee

This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3

As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.

The fix will be addressed in a forthcoming maintenance release.

Reference to this can also be found in the Release Notes Known Issues

MuS
SplunkTrust
SplunkTrust

Hi leeraym

I have filed a bug report and this one is currently being processed @splunk. As soon as it's fixed I'll let you know.
btw what is your exact release version where this happened?

cheers

adamhmitchell
Engager

Ray (and all) - I was able to fix this issue today with chmod and still run the agent as 'splunk':

chmod +w /opt/splunkforwarder/etc/system

The error was this:

06-14-2011 16:01:45.163 -0400 ERROR BundlesUtil - Cannot create parent directory: /opt/splunkforwarder/etc/system/metadata: Permission denied

And the root problem was the permissions on the parent directory. It was owned by 'splunk' but wasn't writable:

bash-3.00$ ls -ld /opt/splunkforwarder/etc/system/

dr-xr-xr-x 7 splunk splunk 7 Jun 14 14:44 /opt/splunkforwarder/etc/system/

Hope it works for you too!

Adam

viril
New Member

How to run splunk as non-root if boot-start is enabled?,If this is installed as non-root, how do you enable the boot-start?

0 Karma

adamhmitchell
Engager

I am also having this problem on Solaris 10.

Ray - did anyone ever get back to you?

Adam

0 Karma

leeraym
Path Finder

Hi Adam,

No answers so far. I just let it run as root since it wasn't really a big deal to me. Would be nice if I could have it run as splunk though.

Ray

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...