Skypex
commented
1 month ago Hi @JoePJisc,
I assume this happens on fresh installed UFs - not on upgrades?
I had the same error and it turned out that this was caused by SPLUNK_HOME_OWNERSHIP_ENFORCEMENT - see SECURITY.md.
When you try to run newer UF as container user splunk there are a lot of warnings that its not working fine. However, these are just warnings so nothing really fails.
However, in this play the error turns into an problem: https://github.com/splunk/splunk-ansible/blob/develop/roles/splunk_common/tasks/enable_admin_auth.yml#L6
The initial splunk admin user setup processes stdout and here the warning results in a broken passwd file:
[splunk@splunk-uf-0 splunkforwarder]$ pwd
/opt/splunkforwarder
[splunk@splunk-uf-0 splunkforwarder]$ cat etc/passwd
:admin:Warning: Attempting to revert the SPLUNK_HOME ownership::administrator:admin:::19853I fixed this by overwriting the play as following:
---
- name: Set admin access via seed
when: first_run | bool
block:
- name: "Hash the password"
command: "python -c 'import sys, crypt; print(crypt.crypt(sys.argv[1], crypt.mksalt(crypt.METHOD_SHA512)))' '{{ splunk.password }}'"
register: hashed_pwd
changed_when: hashed_pwd.rc == 0
become: yes
become_user: "{{ splunk.user }}"
no_log: "{{ hide_password }}"That solved it for me - maybe it helps you as well!
Anyway, the root cause for this are in end the issues with SPLUNK_HOME_OWNERSHIP_ENFORCEMENT and I will create an issues to address those.
When running containers on 9.2.1 (78803f08aabb) or 9.1.4 (a414fc70250e), if the container is restarted it fails to start with the following error:
9.0.9 (6315942c563f) appears unaffected.