Splunk Search

running splunk in openshift container. sudo error in script entrypoint.sh

jjwallaby
Engager

Hi,

I can run splunk as a docker image - no problem. But running in Openshift it crashes running sudo (assume in entrypoint.sh script).

image splunk/splunk:7.3.0

PLAY [Run default Splunk provisioning]
Thursday 19 September 2019 19:01:12 +1000 (0:00:00.042) 0:00:00.042

TASK [Gathering Facts]
ok: [localhost]
Thursday 19 September 2019 19:01:15 +1000 (0:00:03.283) 0:00:03.326
Thursday 19 September 2019 19:01:16 +1000 (0:00:00.344) 0:00:03.942
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Thursday 19 September 2019 19:01:16 +1000 (0:00:00.264) 0:00:04.207
TASK [splunk_common : Set privilege escalation user]
ok: [localhost]

..
..
..

TASK [splunk_common : Update Splunk directory owner]
fatal: [localhost]: FAILED! => {
"changed": false,
"rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error

MODULE_STDERR:

sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin

PLAY RECAP *********************************************************************
localhost : ok=15 changed=0 unreachable=0 failed=1 skipped=10 rescued=0 ignored=0

Thursday 19 September 2019 19:01:23 +1000 (0:00:00.592) 0:00:11.124 ****

Gathering Facts --------------------------------------------------------- 3.28s
splunk_common : Check for existing installation ------------------------- 1.60s
splunk_common : Check if we are in a docker ----------------------------- 1.19s
..
..
..
Determine captaincy ----------------------------------------------------- 0.11s
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

Generally openshift oc disallows sudo.

Thanks

0 Karma

jjwallaby
Engager

OKAY. Found a dirty work around which is a security threat.
Need to add users as sudo and strip out openshift restrictions on allowable capabilities.
including SETUID GETUID. Unfortunately the entrypoint.sh should just run as 1 user splunk and not sudo between splunk and ansible.
uneccessary.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...