Allow unprivileged mode when running as splunk user #222
Conversation
user account. The splunk user is now part of the ansible group and able to run the ansible playbooks itself at startup, but unlike ansible, it has no sudo capabilities at startup time. Note that you currently must explicitly set SPLUNK_HOME_OWNERSHIP_ENFORCEMENT to false when running as the splunk user, otherwise it will fail due to lack of permissions. Note that there are limitations, beyond just being unable to "correct" permission for volume mounts. Any features requiring elevated permissions, such as install JDK or other packages, will not work when running as the splunk user. The defaults are left unchanged. By default, it will still run as the ansible user and the behavior should be the same as before.
|
Also note I made some indenting fixes in entrypoint.sh so that it's (I think) all using tabs now |
ascii art formatting and finish indenting consistency. Merged in same changes for running as splunk user to universal forwarder Dockerfile and entrypoint.sh. Updated whitespace in universal forwarder entrypoint.sh to also use tables for consistency.
|
Overall, this follows what @lephino and I came up with last Friday so I don't have any real issues with it. I can add some tests for any upgrade functionality so we have that in our pipeline in the future. |
| prep_ansible() { | ||
| cd ${SPLUNK_ANSIBLE_HOME} | ||
| if [ `whoami` == "${SPLUNK_USER}" ]; then | ||
| sed -i -e "s,^become\\s*=.*,become = false," ansible.cfg |
There was a problem hiding this comment.
One small thing here that I don't quite like is that our ansible.cfg as shown in the repo is not actually representative of the ansible.cfg during execution under a different user. But I suppose this is a necessary evil at the moment so as long as it's documented, it should be alright.
There was a problem hiding this comment.
Yeah, I was hoping that become_user when you are that user is a noop, but unfortuantely that is not the case. Without explicitly disabling it here, ansible bombs out at startup with complaints that it cannot use sudo without a password.
|
I’ve encountered issues running Splunk SE and UF on Openshift in unprivileged mode. When will this PR be put into an image release on either the Redhat container catalog or Docker Hub? |
Hi Sayeed, this should be included in the |
Hi Mike. Thanks for the info. I'll test out the edge image. Is there an edge-redhat image for the the universal forwarder? |
splunk user with fsGroup set to splunk group. This ensures that all the PVC's created for the pod will be group owned appropriately, so that our splunk user is able to write to them. This works in conjunction with the docker-splunk container changes that allow it to run unpriviledged: splunk/docker-splunk#222 It will not work with any containers that do not include this change. Removed the now unused GetSplunkDeployment method Made a minor logging fix that was printing out a data type
6 participants
This PR enables running in unprivileged mode when run as the splunk user account. The splunk user is now part of the ansible group and able to run the ansible playbooks itself at startup, but unlike ansible, it has no sudo capabilities at startup time.
Note that you currently must explicitly set SPLUNK_HOME_OWNERSHIP_ENFORCEMENT to false when running as the splunk user, otherwise it will fail due to lack of permissions.
Note that there are limitations, beyond just being unable to "correct" permission for volume mounts. Any features requiring elevated permissions, such as install JDK or other packages, will not work when running as the splunk user.
The defaults are left unchanged. By default, it will still run as the ansible user and the behavior should be the same as before.