Starting from Splunk 7.1 there is no more
--gen-and-print-passwd to generate a new password when starting Splunk
for the first time
docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --gen-and-print-passwd" \ splunk/splunk:7.1.0
How to specify the password for admin user at start time?
All the examples below are based on Splunk documentation Create a secure administrator password.
Option 1. Seed the password using arguments.
--seed-passwd as an option you can specify which password you want to use if
admin user does not have any
$ docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --answer-yes --seed-passwd changeme" \ splunk/splunk:7.1.0
Password will be set when it is a fresh Splunk installation. If you have set or changed admin password before,
this command does not change the existing password. It is safe to keep this argument all the time, the same way
With this configuration, you will not be asked to change the password when you access Splunk for the first time using Splunk Web. Make sure to change the password to more secure in Settings - Access Controls, as this password will be visible to all users, who has access to the Docker instance.
Option 2. Set the password using stdin.
If you are playing with Docker and Splunk, you can run it with
-it allowing you to interact with the
$ docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --answer-yes" \ -it \ splunk/splunk:7.1.0 This appears to be your first time running this version of Splunk. An Admin password must be set before installation proceeds. Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password: ...
That way your password will not be exposed to logs or anywhere else. Keeping it is safe.
Option 3. Use autogenerated password
You can use
--gen-and-print-passwd flag. In that way, you will get the new autogenerated password when you start
Splunk for the first time.
$ docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --gen-and-print-passwd --answer-yes" \ splunk/splunk:7.1.0 This appears to be your first time running this version of Splunk. Randomly generated admin password: _,4G5Reu ...
Because the password is logged, make sure to change it after the first login.
Option 4. Use user-seed.conf
You can create
user-seed.conf with the clear text password as
[user_info] USERNAME = admin PASSWORD = Your5ecureP@assw0wd
More secure will be to store a hashed version of the password instead. For that, you need to have a running Splunk instance.
$ splunk hash-passwd 'Your5ecureP@assw0wd' $6$1hfVCT0MACVOq.pd$hiflBxVd36YLeaThJY0x2RxVCYUD60iz3g72plrKeYPgm3fwXnC20k9XxznQDXpefy79dilaQvOJPBge0Zc3C1
You can use one of the options above to start Splunk in the container and access Splunk with
docker exec -it [container_id] entrypoint.sh splunk-bash. Execute
./bin/splunk hash-passwd ...there.
To use a hashed password instead of clear text, specify it in
[user_info] USERNAME = admin HASHED_PASSWORD = $6$1hfVCT0MACVOq.pd$hiflBxVd36YLeaThJY0x2RxVCYUD60iz3g72plrKeYPgm3fwXnC20k9XxznQDXpefy79dilaQvOJPBge0Zc3C1
Now you need to embed this file in the container.
You can do it by mounting the file under
/var/opt/splunk/etc. This folder is a backup directory for the default
etc files. On first start (or upgrade) container copies all files from this directory to the
docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --answer-yes" \ --volume $(pwd)/user-seed.conf:/var/opt/splunk/etc/system/local/user-seed.conf \ splunk/splunk:7.1.0
You can also build your own image on top of Splunk image with Dockerfile and just one command to place the
FROM splunk/splunk:7.1.0 COPY user-seed.conf /var/opt/splunk/etc/system/local/user-seed.conf
Build the image with
docker build -t example.com/splunk:7.1.0 . and run your image similarly to example above.
docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --answer-yes" \ --volume $(pwd)/user-seed.conf:/var/opt/splunk/etc/system/local/user-seed.conf \ example.com/splunk:7.1.0
If you keep the password in clear text in
user-seed.conf, make sure to change it on first login.
Option 5. Use python to write the
user-seed.conf on start.
More advanced option, if you already have a hashed password, you can use
SPLUNK_BEFORE_START_CMD environment variable
to invoke the python to write the content of
docker run \ --publish 8000:8000 \ --env SPLUNK_START_ARGS="--accept-license --answer-yes" \ --env SPLUNK_BEFORE_START_CMD='cmd --accept-license python -c '"'"'open("/opt/splunk/etc/system/local/user-seed.conf", "w").write("[user_info]\nUSERNAME = admin\nHASHED_PASSWORD = $6$1hfVCT0MACVOq.pd$hiflBxVd36YLeaThJY0x2RxVCYUD60iz3g72plrKeYPgm3fwXnC20k9XxznQDXpefy79dilaQvOJPBge0Zc3C1")'"'"'' \ splunk/splunk:7.1.0