- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Starting Splunk Universal Forwarder as non-roo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've installed Splunk Universal Forwarder 4.2.1 on Solaris 10 (x86 and SPARC), but I can't get them to run as a non-root user. I followed the instructions at http://www.splunk.com/base/Documentation/latest/installation/RunSplunkasadifferentornon-rootuser to chown $SPLUNK_HOME and set the splunk user privs, but I get the following errors when trying to run Splunk as the splunk user:
$ id
uid=40104(splunk) gid=144(splunk)
$ /opt/splunkforwarder/bin/splunk start --accept-license
This appears to be your first time running this version of Splunk.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
Abort - core dumped
Splunk> Finding your faults, just like mom.
Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28316 terminated with signal 6 (core dumped)
Checking conf files for typos...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28317 terminated with signal 6 (core dumped)
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/general [1] [/opt/splunkforwarder/etc]
ERROR: pid 28325 terminated with signal 6 (core dumped)
Timed out waiting for splunkd to start.
Any ideas? I didn't have this problem when trying on an Ubuntu server with Splunk Universal Forwarder 4.2.
Thanks,
Ray
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3
As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.
The fix will be addressed in a forthcoming maintenance release.
Reference to this can also be found in the Release Notes Known Issues
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3
As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.
The fix will be addressed in a forthcoming maintenance release.
Reference to this can also be found in the Release Notes Known Issues
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi leeraym
I have filed a bug report and this one is currently being processed @splunk. As soon as it's fixed I'll let you know.
btw what is your exact release version where this happened?
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ray (and all) - I was able to fix this issue today with chmod and still run the agent as 'splunk':
chmod +w /opt/splunkforwarder/etc/system
The error was this:
06-14-2011 16:01:45.163 -0400 ERROR BundlesUtil - Cannot create parent directory: /opt/splunkforwarder/etc/system/metadata: Permission denied
And the root problem was the permissions on the parent directory. It was owned by 'splunk' but wasn't writable:
bash-3.00$ ls -ld /opt/splunkforwarder/etc/system/
dr-xr-xr-x 7 splunk splunk 7 Jun 14 14:44 /opt/splunkforwarder/etc/system/
Hope it works for you too!
Adam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to run splunk as non-root if boot-start is enabled?,If this is installed as non-root, how do you enable the boot-start?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also having this problem on Solaris 10.
Ray - did anyone ever get back to you?
Adam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adam,
No answers so far. I just let it run as root since it wasn't really a big deal to me. Would be nice if I could have it run as splunk though.
Ray
Preparing your Splunk Environment for OpenSSL3
Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
