This PR enables running in unpriviliged mode when run as the splunk

Mike Dickey · Mike Dickey · commit 3ca30d04f48f · 2019-08-16T16:15:31.000-07:00
user account. The splunk user is now part of the ansible group and
able to run the ansible playbooks itself at startup, but unlike ansible,
it has no sudo capabilities at startup time.

Note that you currently must explicitly set SPLUNK_HOME_OWNERSHIP_ENFORCEMENT
to false when running as the splunk user, otherwise it will fail due to
lack of permissions.

Note that there are limitations, beyond just being unable to "correct"
permission for volume mounts. Any features requiring elevated permissions,
such as install JDK or other packages, will not work when running as the
splunk user.

The defaults are left unchanged. By default, it will still run as the
ansible user and the behavior should be the same as before.
diff --git a/splunk/common-files/Dockerfile b/splunk/common-files/Dockerfile
@@ -101,11 +101,15 @@ RUN sed -i -e 's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL/g' /
     && groupadd -r ${ANSIBLE_GROUP} \
     && useradd -r -m -g ${ANSIBLE_GROUP} ${ANSIBLE_USER} \
     && usermod -aG sudo ${ANSIBLE_USER} \
+    && usermod -aG ${ANSIBLE_GROUP} ${SPLUNK_USER} \
     # Container Artifact Directory is a place for all artifacts and logs that are generated by the provisioning process. The directory is owned by the user "ansible".
     && mkdir ${CONTAINER_ARTIFACT_DIR} \
-    && chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} $CONTAINER_ARTIFACT_DIR \
+    && chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} ${CONTAINER_ARTIFACT_DIR} \
+    && chmod -R 775 ${CONTAINER_ARTIFACT_DIR} \
     && chmod -R 555 ${SPLUNK_ANSIBLE_HOME} \
-    && chmod -R 777 ${CONTAINER_ARTIFACT_DIR} \
+    && chgrp ${ANSIBLE_GROUP} ${SPLUNK_ANSIBLE_HOME} ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
+    && chmod 775 ${SPLUNK_ANSIBLE_HOME} \
+    && chmod 664 ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
     && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh
 
 USER ${ANSIBLE_USER}
diff --git a/splunk/common-files/entrypoint.sh b/splunk/common-files/entrypoint.sh
@@ -35,6 +35,9 @@ trap teardown SIGINT SIGTERM
 
 prep_ansible() {
 	cd ${SPLUNK_ANSIBLE_HOME}
+	if [ `whoami` == "${SPLUNK_USER}" ]; then
+		sed -i -e "s,^become\\s*=.*,become = false," ansible.cfg
+	fi
 	if [[ "$DEBUG" == "true" ]]; then
 		ansible-playbook --version
 		python inventory/environ.py --write-to-file
@@ -54,33 +57,36 @@ watch_for_failure(){
 	echo
 	user_permission_change
 	# Any crashes/errors while Splunk is running should get logged to splunkd_stderr.log and sent to the container's stdout
+	if [ `whoami` != "${SPLUNK_USER}" ]; then
+		RUN_AS_SPLUNK="sudo -u ${SPLUNK_USER}"
+	fi
 	if [ -z "$SPLUNK_TAIL_FILE" ]; then
-		sudo -u ${SPLUNK_USER} tail -n 0 -f ${SPLUNK_HOME}/var/log/splunk/splunkd_stderr.log &
+		${RUN_AS_SPLUNK} tail -n 0 -f ${SPLUNK_HOME}/var/log/splunk/splunkd_stderr.log &
 	else
-		sudo -u ${SPLUNK_USER} tail -n 0 -f ${SPLUNK_TAIL_FILE} &
+		${RUN_AS_SPLUNK} tail -n 0 -f ${SPLUNK_TAIL_FILE} &
 	fi
 	wait
 }
 
 create_defaults() {
-    createdefaults.py
+		createdefaults.py
 }
 
 start_and_exit() {
-    if [ -z "$SPLUNK_PASSWORD" ]
-    then
-        echo "WARNING: No password ENV var.  Stack may fail to provision if splunk.password is not set in ENV or a default.yml"
-    fi
+	if [ -z "$SPLUNK_PASSWORD" ]
+	then
+			echo "WARNING: No password ENV var.  Stack may fail to provision if splunk.password is not set in ENV or a default.yml"
+	fi
 	sh -c "echo 'starting' > ${CONTAINER_ARTIFACT_DIR}/splunk-container.state"
 	setup
-    prep_ansible
+	prep_ansible
 	ansible-playbook $ANSIBLE_EXTRA_FLAGS -i inventory/environ.py site.yml
 }
 
 start() {
-    trap teardown EXIT
+	trap teardown EXIT
 	start_and_exit
-    watch_for_failure
+	watch_for_failure
 }
 
 configure_multisite() {
@@ -89,58 +95,58 @@ configure_multisite() {
 }
 
 restart(){
-    trap teardown EXIT
+	trap teardown EXIT
 	sh -c "echo 'restarting' > ${CONTAINER_ARTIFACT_DIR}/splunk-container.state"
-    prep_ansible
-  	${SPLUNK_HOME}/bin/splunk stop 2>/dev/null || true
+	prep_ansible
+	${SPLUNK_HOME}/bin/splunk stop 2>/dev/null || true
 	ansible-playbook -i inventory/environ.py start.yml
 	watch_for_failure
 }
 
 user_permission_change(){
 	if [[ "$STEPDOWN_ANSIBLE_USER" == "true" ]]; then
-    	bash -c "sudo deluser -q ansible sudo"
+		bash -c "sudo deluser -q ansible sudo"
 	fi
 }
 
 help() {
 	cat << EOF
-  ____        _             _      __
+	____        _             _      __
  / ___| _ __ | |_   _ _ __ | | __  \ \\
  \___ \| '_ \| | | | | '_ \| |/ /   \ \\
-  ___) | |_) | | |_| | | | |   <    / /
+	___) | |_) | | |_| | | | |   <    / /
  |____/| .__/|_|\__,_|_| |_|_|\_\  /_/
-       |_|
+			 |_|
 ========================================
 
 Environment Variables:
-  * SPLUNK_USER - user under which to run Splunk (default: splunk)
-  * SPLUNK_GROUP - group under which to run Splunk (default: splunk)
-  * SPLUNK_HOME - home directory where Splunk gets installed (default: /opt/splunk)
-  * SPLUNK_START_ARGS - arguments to pass into the Splunk start command; you must include '--accept-license' to start Splunk (default: none)
-  * SPLUNK_ROLE - the role of this Splunk instance (default: splunk_standalone)
-      Acceptable values:
-        - splunk_standalone
-        - splunk_search_head
-        - splunk_indexer
-        - splunk_deployer
-        - splunk_license_master
-        - splunk_cluster_master
-        - splunk_heavy_forwarder
-  * SPLUNK_LICENSE_URI - URI or local file path (absolute path in the container) to a Splunk license
-  * SPLUNK_STANDALONE_URL, SPLUNK_INDEXER_URL, ... - comma-separated list of resolvable aliases to properly bring-up a distributed environment.
-                                                     This is optional for standalones, but required for multi-node Splunk deployments.
-  * SPLUNK_BUILD_URL - URL to a Splunk build which will be installed (instead of the image's default build)
-  * SPLUNK_APPS_URL - comma-separated list of URLs to Splunk apps which will be downloaded and installed
+	* SPLUNK_USER - user under which to run Splunk (default: splunk)
+	* SPLUNK_GROUP - group under which to run Splunk (default: splunk)
+	* SPLUNK_HOME - home directory where Splunk gets installed (default: /opt/splunk)
+	* SPLUNK_START_ARGS - arguments to pass into the Splunk start command; you must include '--accept-license' to start Splunk (default: none)
+	* SPLUNK_ROLE - the role of this Splunk instance (default: splunk_standalone)
+			Acceptable values:
+				- splunk_standalone
+				- splunk_search_head
+				- splunk_indexer
+				- splunk_deployer
+				- splunk_license_master
+				- splunk_cluster_master
+				- splunk_heavy_forwarder
+	* SPLUNK_LICENSE_URI - URI or local file path (absolute path in the container) to a Splunk license
+	* SPLUNK_STANDALONE_URL, SPLUNK_INDEXER_URL, ... - comma-separated list of resolvable aliases to properly bring-up a distributed environment.
+																										 This is optional for standalones, but required for multi-node Splunk deployments.
+	* SPLUNK_BUILD_URL - URL to a Splunk build which will be installed (instead of the image's default build)
+	* SPLUNK_APPS_URL - comma-separated list of URLs to Splunk apps which will be downloaded and installed
 
 Examples:
-  * docker run -it -p 8000:8000 splunk/splunk start
-  * docker run -it -e SPLUNK_START_ARGS=--accept-license -p 8000:8000 -p 8089:8089 splunk/splunk start
-  * docker run -it -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_LICENSE_URI=http://example.com/splunk.lic -p 8000:8000 splunk/splunk start
-  * docker run -it -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_INDEXER_URL=idx1,idx2 -e SPLUNK_SEARCH_HEAD_URL=sh1,sh2 -e SPLUNK_ROLE=splunk_search_head --hostname sh1 --network splunknet --network-alias sh1 -e SPLUNK_PASSWORD=helloworld -e SPLUNK_LICENSE_URI=http://example.com/splunk.lic splunk/splunk start
+	* docker run -it -p 8000:8000 splunk/splunk start
+	* docker run -it -e SPLUNK_START_ARGS=--accept-license -p 8000:8000 -p 8089:8089 splunk/splunk start
+	* docker run -it -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_LICENSE_URI=http://example.com/splunk.lic -p 8000:8000 splunk/splunk start
+	* docker run -it -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_INDEXER_URL=idx1,idx2 -e SPLUNK_SEARCH_HEAD_URL=sh1,sh2 -e SPLUNK_ROLE=splunk_search_head --hostname sh1 --network splunknet --network-alias sh1 -e SPLUNK_PASSWORD=helloworld -e SPLUNK_LICENSE_URI=http://example.com/splunk.lic splunk/splunk start
 
 EOF
-    exit 1
+		exit 1
 }
 
 case "$1" in
@@ -157,12 +163,12 @@ case "$1" in
 		configure_multisite $0
 		;;
 	create-defaults)
-	    create_defaults
-	    ;;
+	  create_defaults
+		;;
 	restart)
-	    shift
-	    restart $@
-	    ;;
+		shift
+		restart $@
+		;;
 	no-provision)
 		user_permission_change
 		tail -n 0 -f /etc/hosts &
