Outcold Solutions LLC

Create a secure administrator password in Docker for Splunk 7.1.0

April 25, 2018

tl;dr;

Starting from Splunk 7.1 there is no more changeme password. Use --gen-and-print-passwd to generate a new password when starting Splunk for the first time

docker run \
    --publish 8000:8000 \
    --env SPLUNK_START_ARGS="--accept-license --gen-and-print-passwd" \
    splunk/splunk:7.1.0

How to specify the password for admin user at start time?

All the examples below are based on Splunk documentation Create a secure administrator password.

Option 1. Seed the password using arguments.

Using --seed-passwd as an option you can specify which password you want to use if admin user does not have any password yet.

$ docker run \
    --publish 8000:8000 \
    --env SPLUNK_START_ARGS="--accept-license --answer-yes --seed-passwd changeme" \
    splunk/splunk:7.1.0

Password will be set when it is a fresh Splunk installation. If you have set or changed admin password before, this command does not change the existing password. It is safe to keep this argument all the time, the same way you keep --accept-license --answer-yes.

With this configuration, you will not be asked to change the password when you access Splunk for the first time using Splunk Web. Make sure to change the password to more secure in Settings - Access Controls, as this password will be visible to all users, who has access to the Docker instance.

Option 2. Set the password using stdin.

If you are playing with Docker and Splunk, you can run it with -it allowing you to interact with the tty

$ docker run \
    --publish 8000:8000 \
    --env SPLUNK_START_ARGS="--accept-license --answer-yes" \
    -it \
    splunk/splunk:7.1.0

This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:
...

That way your password will not be exposed to logs or anywhere else. Keeping it is safe.

Option 3. Use autogenerated password

You can use --gen-and-print-passwd flag. In that way, you will get the new autogenerated password when you start Splunk for the first time.

$ docker run \
    --publish 8000:8000 \
    --env SPLUNK_START_ARGS="--accept-license --gen-and-print-passwd --answer-yes" \
    splunk/splunk:7.1.0

This appears to be your first time running this version of Splunk.

Randomly generated admin password:
_,4G5Reu
...

Because the password is logged, make sure to change it after the first login.

Option 4. Use user-seed.conf

You can create user-seed.conf with the clear text password as

[user_info]
USERNAME = admin
PASSWORD = Your5ecureP@assw0wd

More secure will be to store a hashed version of the password instead. For that, you need to have a running Splunk instance.

$ splunk hash-passwd 'Your5ecureP@assw0wd'
$6$1hfVCT0MACVOq.pd$hiflBxVd36YLeaThJY0x2RxVCYUD60iz3g72plrKeYPgm3fwXnC20k9XxznQDXpefy79dilaQvOJPBge0Zc3C1

You can use one of the options above to start Splunk in the container and access Splunk with docker exec -it [container_id] entrypoint.sh splunk-bash. Execute ./bin/splunk hash-passwd ... there.

To use a hashed password instead of clear text, specify it in user-seed.conf with HASHED_PASSWORD.

[user_info]
USERNAME = admin
HASHED_PASSWORD = $6$1hfVCT0MACVOq.pd$hiflBxVd36YLeaThJY0x2RxVCYUD60iz3g72plrKeYPgm3fwXnC20k9XxznQDXpefy79dilaQvOJPBge0Zc3C1

Now you need to embed this file in the container.

You can do it by mounting the file under /var/opt/splunk/etc. This folder is a backup directory for the default Splunk etc files. On first start (or upgrade) container copies all files from this directory to the /opt/splunk/etc.

docker run \
    --publish 8000:8000 \
    --env SPLUNK_START_ARGS="--accept-license --answer-yes" \
    --volume $(pwd)/user-seed.conf:/var/opt/splunk/etc/system/local/user-seed.conf \
    splunk/splunk:7.1.0

You can also build your own image on top of Splunk image with Dockerfile and just one command to place the user-seed.conf.

FROM splunk/splunk:7.1.0
COPY user-seed.conf /var/opt/splunk/etc/system/local/user-seed.conf

Build the image with docker build -t example.com/splunk:7.1.0 . and run your image similarly to example above.

docker run \
    --publish 8000:8000 \
    --env SPLUNK_START_ARGS="--accept-license --answer-yes" \
    --volume $(pwd)/user-seed.conf:/var/opt/splunk/etc/system/local/user-seed.conf \
    example.com/splunk:7.1.0

If you keep the password in clear text in user-seed.conf, make sure to change it on first login.

Option 5. Use python to write the user-seed.conf on start.

More advanced option, if you already have a hashed password, you can use SPLUNK_BEFORE_START_CMD environment variable to invoke the python to write the content of user-seed.conf.

docker run \
  --publish 8000:8000 \
  --env SPLUNK_START_ARGS="--accept-license --answer-yes" \
  --env SPLUNK_BEFORE_START_CMD='cmd --accept-license python  -c '"'"'open("/opt/splunk/etc/system/local/user-seed.conf", "w").write("[user_info]\nUSERNAME = admin\nHASHED_PASSWORD = $6$1hfVCT0MACVOq.pd$hiflBxVd36YLeaThJY0x2RxVCYUD60iz3g72plrKeYPgm3fwXnC20k9XxznQDXpefy79dilaQvOJPBge0Zc3C1")'"'"'' \
  splunk/splunk:7.1.0

Splunk 7.1.0

splunk, docker, image, splunk 7.1

About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which gives you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which helps developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.