Security

Starting Splunk Universal Forwarder as non-root

leeraym
Path Finder

I've installed Splunk Universal Forwarder 4.2.1 on Solaris 10 (x86 and SPARC), but I can't get them to run as a non-root user. I followed the instructions at http://www.splunk.com/base/Documentation/latest/installation/RunSplunkasadifferentornon-rootuser to chown $SPLUNK_HOME and set the splunk user privs, but I get the following errors when trying to run Splunk as the splunk user:

$ id

uid=40104(splunk) gid=144(splunk)
$ /opt/splunkforwarder/bin/splunk start --accept-license

This appears to be your first time running this version of Splunk.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
Abort - core dumped

Splunk> Finding your faults, just like mom.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/lib/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28316 terminated with signal 6 (core dumped)
Checking conf files for typos...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/sslConfig [1] [/opt/splunkforwarder/etc]
ERROR: pid 28317 terminated with signal 6 (core dumped)
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
terminate called after throwing an instance of 'ConfPathHasNoWriter'
what(): Could not find writer for: /nobody/system/server/general [1] [/opt/splunkforwarder/etc]
ERROR: pid 28325 terminated with signal 6 (core dumped)

Timed out waiting for splunkd to start.

Any ideas? I didn't have this problem when trying on an Ubuntu server with Splunk Universal Forwarder 4.2.

Thanks,
Ray

Tags (4)
1 Solution

Ellen
Splunk Employee
Splunk Employee

This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3

As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.

The fix will be addressed in a forthcoming maintenance release.

Reference to this can also be found in the Release Notes Known Issues

View solution in original post

Ellen
Splunk Employee
Splunk Employee

This is a known issue (SPL-40616) in the Solaris Universal Forwarder package's setup with incorrect permissions being set. This was reported in the pkg under 4.2.2 and 4.2.3

As indicated above, the workaround is to chmod for $SPLUNK_HOME/etc/system
from 555 to 755.

The fix will be addressed in a forthcoming maintenance release.

Reference to this can also be found in the Release Notes Known Issues

MuS
SplunkTrust
SplunkTrust

Hi leeraym

I have filed a bug report and this one is currently being processed @splunk. As soon as it's fixed I'll let you know.
btw what is your exact release version where this happened?

cheers

adamhmitchell
Engager

Ray (and all) - I was able to fix this issue today with chmod and still run the agent as 'splunk':

chmod +w /opt/splunkforwarder/etc/system

The error was this:

06-14-2011 16:01:45.163 -0400 ERROR BundlesUtil - Cannot create parent directory: /opt/splunkforwarder/etc/system/metadata: Permission denied

And the root problem was the permissions on the parent directory. It was owned by 'splunk' but wasn't writable:

bash-3.00$ ls -ld /opt/splunkforwarder/etc/system/

dr-xr-xr-x 7 splunk splunk 7 Jun 14 14:44 /opt/splunkforwarder/etc/system/

Hope it works for you too!

Adam

viril
New Member

How to run splunk as non-root if boot-start is enabled?,If this is installed as non-root, how do you enable the boot-start?

0 Karma

adamhmitchell
Engager

I am also having this problem on Solaris 10.

Ray - did anyone ever get back to you?

Adam

0 Karma

leeraym
Path Finder

Hi Adam,

No answers so far. I just let it run as root since it wasn't really a big deal to me. Would be nice if I could have it run as splunk though.

Ray

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...