Splunk Search

running splunk in openshift container. sudo error in script entrypoint.sh

jjwallaby
Engager

Hi,

I can run splunk as a docker image - no problem. But running in Openshift it crashes running sudo (assume in entrypoint.sh script).

image splunk/splunk:7.3.0

PLAY [Run default Splunk provisioning]
Thursday 19 September 2019 19:01:12 +1000 (0:00:00.042) 0:00:00.042

TASK [Gathering Facts]
ok: [localhost]
Thursday 19 September 2019 19:01:15 +1000 (0:00:03.283) 0:00:03.326
Thursday 19 September 2019 19:01:16 +1000 (0:00:00.344) 0:00:03.942
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Thursday 19 September 2019 19:01:16 +1000 (0:00:00.264) 0:00:04.207
TASK [splunk_common : Set privilege escalation user]
ok: [localhost]

..
..
..

TASK [splunk_common : Update Splunk directory owner]
fatal: [localhost]: FAILED! => {
"changed": false,
"rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error

MODULE_STDERR:

sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin

PLAY RECAP *********************************************************************
localhost : ok=15 changed=0 unreachable=0 failed=1 skipped=10 rescued=0 ignored=0

Thursday 19 September 2019 19:01:23 +1000 (0:00:00.592) 0:00:11.124 ****

Gathering Facts --------------------------------------------------------- 3.28s
splunk_common : Check for existing installation ------------------------- 1.60s
splunk_common : Check if we are in a docker ----------------------------- 1.19s
..
..
..
Determine captaincy ----------------------------------------------------- 0.11s
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

Generally openshift oc disallows sudo.

Thanks

0 Karma

jjwallaby
Engager

OKAY. Found a dirty work around which is a security threat.
Need to add users as sudo and strip out openshift restrictions on allowable capabilities.
including SETUID GETUID. Unfortunately the entrypoint.sh should just run as 1 user splunk and not sudo between splunk and ansible.
uneccessary.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...