Splunk Search

running splunk in openshift container. sudo error in script entrypoint.sh



I can run splunk as a docker image - no problem. But running in Openshift it crashes running sudo (assume in entrypoint.sh script).

image splunk/splunk:7.3.0

PLAY [Run default Splunk provisioning]
Thursday 19 September 2019 19:01:12 +1000 (0:00:00.042) 0:00:00.042

TASK [Gathering Facts]
ok: [localhost]
Thursday 19 September 2019 19:01:15 +1000 (0:00:03.283) 0:00:03.326
Thursday 19 September 2019 19:01:16 +1000 (0:00:00.344) 0:00:03.942
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Thursday 19 September 2019 19:01:16 +1000 (0:00:00.264) 0:00:04.207
TASK [splunk_common : Set privilege escalation user]
ok: [localhost]


TASK [splunk_common : Update Splunk directory owner]
fatal: [localhost]: FAILED! => {
"changed": false,
"rc": 1


See stdout/stderr for the exact error


sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin

PLAY RECAP *********************************************************************
localhost : ok=15 changed=0 unreachable=0 failed=1 skipped=10 rescued=0 ignored=0

Thursday 19 September 2019 19:01:23 +1000 (0:00:00.592) 0:00:11.124 ****

Gathering Facts --------------------------------------------------------- 3.28s
splunk_common : Check for existing installation ------------------------- 1.60s
splunk_common : Check if we are in a docker ----------------------------- 1.19s
Determine captaincy ----------------------------------------------------- 0.11s
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

Generally openshift oc disallows sudo.


0 Karma


OKAY. Found a dirty work around which is a security threat.
Need to add users as sudo and strip out openshift restrictions on allowable capabilities.
including SETUID GETUID. Unfortunately the entrypoint.sh should just run as 1 user splunk and not sudo between splunk and ansible.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...