Getting Data In

Splunk Enterprise installation fails using official docker image on kubernetes with "Login failed"

ajna
Explorer

We are trying to run Splunk Enterprise on Kubernetes. We have a Helm chart that uses the official docker image (currently 7.1.2). We are using the following env vars to initialize Splunk:

          env:
            - name: SPLUNK_START_ARGS
              value: "--accept-license --answer-yes --seed-passwd ourpassword"
            - name: SPLUNK_USER
              value: root
            - name: SPLUNK_ENABLE_LISTEN
              value: "9997"
            - name: SPLUNK_ADD
              value: tcp 1514

Splunk appears to start and displays the message

Waiting for web server at http://127.0.0.1:8000 to be available..... Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://container-name:8000

and then a moment later we get the message

Login failed
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
...
Stopping splunk helpers...

Done.

What login is failing? What do we need to do to correct this?

0 Karma
1 Solution

outcoldman
Communicator

It is a known issue - https://github.com/splunk/docker-splunk/issues/62
It has a hardcoded login and password admin:changeme, that is used for several commands, including SPLUNK_ENABLE_LISTEN, see https://github.com/splunk/docker-splunk/blob/master/enterprise/entrypoint.sh#L103

Workarounds are:
1. use changeme as a seed password
2. Do not use environment variables for configuration.
3. Build your own image.
4. Wait a week to see what's new is coming after .conf18 (there are will be some announcements for the docker image).

View solution in original post

digitalbankingp
New Member

My answer should be valid for Docker image version(s): splunk/splunk:7.3.3(-redhat)
I've noticed this in entrypoint.sh and and the message during container startup which led me into "SPLUNK_PASSWORD" env. var.

    then
        echo "WARNING: No password ENV var.  Stack may fail to provision if splunk.password is not set in ENV or a default.yml"
    fi

This set of environment variables worked for me:

      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_ENABLE_LISTEN: 9997
      SPLUNK_ADD: tcp 1514
      SPLUNK_USER: root
      #if custom admin password, env var required for >= 7.3.x
      SPLUNK_PASSWORD: your-custom-password
0 Karma

outcoldman
Communicator

It is a known issue - https://github.com/splunk/docker-splunk/issues/62
It has a hardcoded login and password admin:changeme, that is used for several commands, including SPLUNK_ENABLE_LISTEN, see https://github.com/splunk/docker-splunk/blob/master/enterprise/entrypoint.sh#L103

Workarounds are:
1. use changeme as a seed password
2. Do not use environment variables for configuration.
3. Build your own image.
4. Wait a week to see what's new is coming after .conf18 (there are will be some announcements for the docker image).

ajna
Explorer

I changed my config to
env:
- name: SPLUNK_START_ARGS
value: "--accept-license --answer-yes --seed-passwd changeme"
- name: SPLUNK_USER
value: splunk
- name: SPLUNK_ENABLE_LISTEN
value: "9997"
- name: SPLUNK_ADD
value: tcp 1514

and everything started working

deepashri_123
Motivator

Hey@ajna,

Can you try checking the internal logs of splunk for any error.
The path for it is: $SPLUNK_HOME$/var/log/splunk
You need to check splunkd.log

0 Karma

ajna
Explorer

I found this in the logs

AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...