Allow /opt/splunkforwarder/var/run/splunk splunkd.pid to run as splunk

[vandelin586]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet:
• Ruby:
• Distribution:
• Module version:

How to reproduce (e.g Puppet code you use)

What are you seeing

I set the user under class ::splunk::forwarder to splunk but still the spunkd.pid runs as root, the customer wants this running as splunk, I made a file resource that recurse /opt/splunkforwarder to run as group and owner root, but the change happens every run with a bunch of others /opt/splunkforwarder/var/libsplunk and /opt/splunkforwarder/var/run/*

Manually the customer set chown /opt/forwarder/* to run as splunk then restarted the service and this worked

What behaviour did you expect instead

Output log

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/apps/learned/local/props.conf]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/apps/learned/local/props.conf]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/apps/learned/local/sourcetypes.conf]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/apps/learned/local/sourcetypes.conf]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/apps/learned/metadata/local.meta]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/apps/learned/metadata/local.meta]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/passwd]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/etc/passwd]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/4069420869]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/4069420869]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/1322324208]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/1322324208]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/1322324208.old]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/1322324208.old]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/2342085248]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/2342085248]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/2342085248.old]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/lib/splunk/fishbucket/rawdata/2342085248.old]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/run/splunk/conf-mutator.pid]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/run/splunk/conf-mutator.pid]/group: group changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/run/splunk/splunkd.pid]/owner: owner changed 'root' to 'splunk'

Notice: /Stage[main]/Profile::Linux_splunk/File[/opt/splunkforwarder/var/run/splunk/splunkd.pid]/group: group changed 'root' to 'splunk'

Notice: Applied catalog in 2.94 seconds

On every run

Any additional information you'd like to impart

My profile

#Linux profile to install Linux Splunk

class profile::linux_splunk {

$artifactory_host = hiera('artifactory_host')

$splunkadmsrv = hiera('splunk::deploysrv')

$splunkdir = hiera('splunk::dir')

$winsplunkport = hiera('splunk::port')

if $facts['apache_version'] {

$client_name = 'fspptuxapch'

acl { '/app/httpd/log/':

    action     => set,

    permission => [

    'group:splunk:r-x',

    'default:group:splunk:r-x',

    ],

    provider   => posixacl,

    recursive  => true,

    require    => Package['splunkforwarder'],

  }

}

else { $client_name = 'fspptux'

}



splunkforwarder_deploymentclient { 'deployment-client-disabled':

section => 'deployment-client',

setting => 'disabled',

value   => '0',

}

splunkforwarder_deploymentclient { 'deployment-client-client-name':

section => 'deployment-client',

setting => 'clientName',

value   => $client_name,

}

splunkforwarder_deploymentclient { 'deployment-server':

section => 'target-broker:deploymentServer',

setting => 'targetUri',

value   => Blank:8089',

}

class { '::splunk::params':

  version      => '6.5.2',

  build        => '67571ef4b87d',

  src_root     => "http://${artifactory_host}/artifactory/application-release-local/gov/usda/fs/busops/cio/FS_Splunk",

  server       => 'blank..com',

  splunkd_port => '8089',

}

class { '::splunk::forwarder':

splunk_user  => 'splunk',

}

file {'/opt/splunkforwarder/etc/splunk-launch.conf':

ensure  => present,

owner   => 'root',

group   => 'splunk',

recurse => false,

require => Package['splunkforwarder'],

}

file {'/opt/splunkforwarder/':

ensure  => present,

owner   => 'splunk',

group   => 'splunk',

recurse => true,

ignore   => '/opt/splunkforwarder/etc/splunk-launch.conf',

before  => File['/opt/splunkforwarder/etc/splunk-launch.conf'],

require => Package['splunkforwarder'],

}

file {'/var/log':

ensure  => present,

owner   => 'root',

group   => 'root',

mode    => "2755",

}

acl { '/var/log':

  action     => set,

  permission => [

  'group:splunk:r-x',

  'default:group:splunk:r-x',

  ],

  provider   => posixacl,

  recursive  => true,

  require    => Package['splunkforwarder'],

}

include ::splunk::forwarder

}

[vandelin586]

If I manually use this command after puppet installs splunk
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license --answer-yes --no-prompt

It works, and splunk is running as splunk

[vandelin586]

In the end , when I deleted all of splunk from the server , I did not delete the /etc/init.d/splunk start up script. So I deleted all of splunk, including the start up script , I rebooted the test server and let puppet run the splunk install again. Everything worked as expected and splunk was running as splunk, this worked on two test servers thus far. They want to test on more nodes but if all is successful i will close this issue.

[vandelin586]

I am still waiting for my other test servers to confirm I can close this. I will close it prematurely, because I do believe the methods I have done do work and that there was no issue to begin with. If I have issues in the next week or two I will re-open it, thank you everyone

[TraGicCode]

Sounds good to me if you want to close this out Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone

…

-------- Original message -------- From: Ryan Vandelinder <[email protected]> Date: 10/15/17 11:05 (GMT-06:00) To: voxpupuli/puppet-splunk <[email protected]> Cc: Subscribed <[email protected]> Subject: Re: [voxpupuli/puppet-splunk] Allow /opt/splunkforwarder/var/run/splunk splunkd.pid to run as splunk (#154) I am still waiting for my other test servers to confirm I can close this. I will close it prematurely, because I do believe the methods I have done do work and that there was no issue to begin with. If I have issues in the next week or two I will re-open it, thank you everyone — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#154 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AF75jtDmxCkPYpno9gSX9rtf38wvzNylks5ssi1YgaJpZM4P0p4A>.