Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I can not install phantom using ./soar-install

sidnakvee
Explorer
‎11-09-2024 06:17 PM

Hi !

 

I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like :

Error: Cannot run as the root user
Error: The install directory (/opt/phantom) is not owned by the installation owner (root)
Pre-deploy checks failed with errors

 

Directory has root access with all folders in it image attched .

 {"component": "installation_log", "time": "2024-11-10T02:02:56.071875", "logger": "install.deployments.deployment", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/install/deployments/deployment.py", "line": 175, "message": "Error: The install directory (/opt/phantom) is not owned by the installation owner (root)", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "phase": "pre-deploy", "operation_status": "failed", "time_elapsed_since_start": 1.524704}
{"component": "installation_log", "time": "2024-11-10T02:02:56.072144", "logger": "install", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/./soar-install", "line": 105, "message": "Pre-deploy checks failed with errors", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "time_elapsed_since_start": 1.525168, "pretty_exc_info": ["Traceback (most recent call last):", " File \"/opt/phantom/splunk-soar/./soar-install\", line 82, in main", " deployment.run()", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 145, in run", " self.run_pre_deploy()", " File \"/opt/phantom/splunk-soar/usr/python39/lib/python3.9/contextlib.py\", line 79, in inner", " return func(*args, **kwds)", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 178, in run_pre_deploy", " raise DeploymentChecksFailed(", "install.install_common.DeploymentChecksFailed: Pre-deploy checks failed with errors"]}

 

Labels (1)
Labels
Preview file
542 KB
0 Karma
Reply

SOARt_of_Lost
Path Finder
‎11-12-2024 07:49 AM

Just to clarify the discussion I see here, everything under /opt/phantom should be owned by the phantom user. If any of the folders are owned by the root user instead of the phantom, SOAR may not run (or install in this case) properly.

This is mentioned in the installation instructions but it's a single line toward the bottom and easy to miss. "Make sure you are logged in as the user meant to own the Splunk SOAR (On-premises) installation. Do not perform the installation command as the root user."

Given how early you are in the process, it might just be best to start fresh rather than changing permissions on every folder.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-10-2024 01:38 AM

You are supposed to install SOAR using a nonprivileged user.

0 Karma
Reply

sidnakvee
Explorer
‎11-10-2024 08:55 AM

Hi !

 thanks for your reply yeah I tied with phantom account as well still see error for folder permission ro soar-phantom . Not sure what mistake I am doing . 

Is there any detaied video link or documntation to follow ? thanks 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-10-2024 01:01 PM

Did you verify the permissions? If you created the directory with root ownership and 755 permissions, the non-root user won't be able to use it.

0 Karma
Reply

sidnakvee
Explorer
‎11-09-2024 06:23 PM

Sorry forgot to mention its  version 6.3.0

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...