Security

Starting Splunk Universal Forwarder as non-root

leeraym
Path Finder

I've installed Splunk Universal Forwarder 4.2.1 on Solaris 10 (x86 and SPARC), but I can't get them to run as a non-root user. I followed the instructions at http://www.splunk.com/base/Documentation/latest/installation/RunSplunkasadifferentornon-rootuser to chown $SPLUNK_HOME and set the splunk user privs, but I get the following errors when trying to run Splunk as the splunk user:

$ id

uid=40104(splunk) gid=144(splunk)
$ /opt/splunkforwarder/bin/splunk start --accept-license

This appears to be your first time running this version of Splunk.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
Abort - core dumped

Splunk> Finding your faults, just like mom.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28316 terminated with signal 6 (core dumped)
Checking conf files for typos...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28317 terminated with signal 6 (core dumped)
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/general [1] [/opt/splunkforwarder/etc]
ERROR: pid 28325 terminated with signal 6 (core dumped)

Timed out waiting for splunkd to start.

Any ideas? I didn't have this problem when trying on an Ubuntu server with Splunk Universal Forwarder 4.2.

Thanks,
Ray

Tags (4)
1 Solution

Ellen
Splunk Employee
Splunk Employee

This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3

As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.

The fix will be addressed in a forthcoming maintenance release.

Reference to this can also be found in the Release Notes Known Issues

View solution in original post

Ellen
Splunk Employee
Splunk Employee

This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3

As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.

The fix will be addressed in a forthcoming maintenance release.

Reference to this can also be found in the Release Notes Known Issues

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi leeraym

I have filed a bug report and this one is currently being processed @splunk. As soon as it's fixed I'll let you know.
btw what is your exact release version where this happened?

cheers

adamhmitchell
Engager

Ray (and all) - I was able to fix this issue today with chmod and still run the agent as 'splunk':

chmod +w /opt/splunkforwarder/etc/system

The error was this:

06-14-2011 16:01:45.163 -0400 ERROR BundlesUtil - Cannot create parent directory: /opt/splunkforwarder/etc/system/metadata: Permission denied

And the root problem was the permissions on the parent directory. It was owned by 'splunk' but wasn't writable:

bash-3.00$ ls -ld /opt/splunkforwarder/etc/system/

dr-xr-xr-x 7 splunk splunk 7 Jun 14 14:44 /opt/splunkforwarder/etc/system/

Hope it works for you too!

Adam

viril
New Member

How to run splunk as non-root if boot-start is enabled?,If this is installed as non-root, how do you enable the boot-start?

0 Karma

adamhmitchell
Engager

I am also having this problem on Solaris 10.

Ray - did anyone ever get back to you?

Adam

0 Karma

leeraym
Path Finder

Hi Adam,

No answers so far. I just let it run as root since it wasn't really a big deal to me. Would be nice if I could have it run as splunk though.

Ray

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!