Deployment Architecture

Why is the app or add-on installations, on a single instance Splunk Enterprise 7.1.2 on Linux, show as root user by default?

neerajshah81
Path Finder

I have a single instance Splunk Enterprise 7.1.2 on Linux. I have used a non-root user "splunk" & group "splunk" to install Splunk. At the time of install i made sure to run "chown -R splunk:splunk /opt/splunk" command and verified all files/dirs are now owned by "splunk:splunk". I am noticing that whenever i install a new app or add-on , its owner is root:root by default. I have to manually run that chown command every time after i install an app or add-on & restart splunk.

I have looked at this thread https://answers.splunk.com/answers/481355/why-are-apps-installing-as-root-user-when-dir-is-n.html?ut... as per it, Is it because we are using "sudo $SPLUNK_HOME/bin/splunk restart" command to restart splunk after each app install which is causing splunk to restart as a root user ? What is the other way then ?

Anybody else using Splunk On Linux facing the same issue ?

Thanks
Neeraj

0 Karma
1 Solution

woodcock
Esteemed Legend

Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root. Go to the CLI as root and do this:

/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start

Then you will be running as user splunk

View solution in original post

0 Karma

woodcock
Esteemed Legend

Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root. Go to the CLI as root and do this:

/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start

Then you will be running as user splunk

0 Karma

FrankVl
Ultra Champion

Just configure the desired OS user in etc/splunk-launch.conf (last line of that file already contains a placeholder for that setting, just uncomment and add the user name). That way, regardless of which user starts splunk, it always runs under the correct user.

0 Karma

woodcock
Esteemed Legend

There is much more to it than that. See my answer.

0 Karma

FrankVl
Ultra Champion

Sounds more like a different way of doing things? I've never changed the init.d file, or appended the -user flag to the enable-boot command. Just set the user in the splunk-launch.conf and it always runs as the correct user. After boot, but also when you (accidentally) execute ./splunk restart while being root.

Edit, ah:

When 'splunk enable boot-start -user <u>' is invoked, SPLUNK_OS_USER is set to <u> as a side effect. 

So your approach also sets splunk-launch.conf OS user setting in the end.

0 Karma

MikaJustasACN
Path Finder

When you are restarting Splunk by running "sudo $SPLUNK_HOME/bin/splunk restart", essentially what you do is you restart splunk into root user. You can confirm that by "ps -aux | grep splunk". You first need to jump to splunk user: "sudo su splunk" and then $SPLUNK_HOME/bin/splunk restart.

neerajshah81
Path Finder

Thanks Mika. Upvote granted 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...