Splunk Universal Forwarder issue with 7.2.3 on Docker for Mac about docker-splunk HOT 9 CLOSED

Create an ansible play as a "pre-task" that does a chown on /opt/splunkforward. It'll run before the install play and set the ownership back to "splunk:splunk".

from docker-splunk.

My greatest fear was that the answer was going to involve "learn a new tool" LOL! :-)

1. How do I define an ansible pre-task? Is there a folder I can simply copy a script file in?
2. What user/group should I set in chown? ansible:ansible?

from docker-splunk.

You can actually copy our entire task for this:

https://github.com/splunk/splunk-ansible/blob/develop/roles/splunk_common/tasks/change_splunk_directory_owner.yml

The thing to notice is, in ansible --- in the first line signals the start of the file, and then the yaml definition will define what module to run a command on. In this case, it's ansible's file module: https://docs.ansible.com/ansible/latest/modules/file_module.html#file-module

We're going the file module to become root, but then set the directory to the splunk user. No different then doing like a "sudo chown splunk:splunk /opt/splunkforwarder". The variables are just taking place for the user / directory.

Now to use it, there's a few ways to include it, you can map it to /tmp/splunk_ansible_pre_tasks.yml or you can create the file, and host it on a webserver and set an env var "ansible_pre_tasks". You can also set to just use our actual play by setting an ansible_pre_tasks to file:///opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml.

from docker-splunk.

I've given your recommendations a shot, but I don't think they are having any positive effect. I'm not certain that the /tmp/splunk_ansible_pre_tasks.yml I created is actually being executed.

The very end of the error output still says the same thing:

Exiting with failure status due to previous errors\n", "out": "", "rc": 2}, "gid": 0, "group": "root", "handler": "TgzArchive", "mode": "0755", "msg": "failed to unpack /var/tmp/ansible-tmp-1548663281.65-264095580488254/source to /opt", "owner": "root", "size": 4096, "src": "/var/tmp/ansible-tmp-1548663281.65-264095580488254/source", "state": "directory", "uid": 0}

I'm not 100% sure how to interpret this, but I believe it's still saying that the /opt directory is still owned by root. Therefore, the /tmp/splunk_ansible_pre_tasks.yml isn't enough on its own. Is there something else I need to do to get it to execute?

Out of curiosity, I've updated both the splunk and splunkforwarder images to 7.2.3, and I'm not having any issues with the splunk image. I'm able to map my app on my host maching using a volume directly into /opt/splunk/etc/apps. Is there some reason that the containers should behave differently?

from docker-splunk.

@LorenKeagle there's actually an initial task that runs that should change permissions of everything under /opt/splunk to the splunk user. See https://github.com/splunk/splunk-ansible/blob/develop/roles/splunk_common/tasks/change_splunk_directory_owner.yml

Also regarding your latest comment, did upgrading to 7.2.3 resolve this issue for you? Maybe I'm a bit confused, I thought the initial problem you had was with the 7.2.3 image. Nevermind, turns out I can't read. It seems like the problem is with the universalforwarder image entirely, and not the splunk image. I think I know the problem if that's the case, but can you confirm?

from docker-splunk.

@nwang92 That's correct!

Some background. I initially reported a startup issue for splunk forwarder in #32. Once I saw that was fixed and in Dockerhub, I updated my Dockerfile to pull from 7.2.3 to try it out, and then ran into this issue.

The splunk image works great using volumes to map apps from my host into /opt/splunk/etc/apps, but this fails in the splunk forwarder due to some permissions issue. Perhaps the ansible scripts between the two images are different? I would think the installation steps would be very similar between the two, but there's apparently a discrepancy.

If there is an official supported way to 'preload' a local app into the container, please let me know. Maybe there's a better way to go about this that utilizes your existing ansible setup tasks.

from docker-splunk.

Got it, yes I'm seeing the difference between the behavior of splunk/splunk and splunk/universalforwarder. I can get that fixed as part of the upcoming 7.2.4 release.

The latest Splunk image (7.2.3) does have limited app support, basically anything from Splunkbase or any http://... link. There was an issue with support https:// links, but that's resolved within the develop branch only right now.

You can create a container with something like docker run -d -e SPLUNK_PASSWORD=helloworld -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_APPS_URL=http://webserver/app.tgz splunk/universalforwarder to automatically install an app bundle. I'm open to more feedback on how people use their apps + Splunk environments, but I imagine this would be useful amongst those running Splunk in docker because:

1. It follows the model of "declarative" infrastructure - if you need a Splunk deployment with a particular app or set of apps, you should be able to define that at boot-time
2. There is some flexibility in where apps come from - maybe certain teams like using Splunkbase, maybe others would prefer to host/cache/build independent apps internally. Either way, there should be a little flexibility in terms of "bringing-your-own-infrastructure" to support your stack.

But again, completely open to feedback or suggestions on this. I think your use case is valid and we should support that going forward. The only "issue" of bind-mounting apps is it may not be a very portable solution when transitioning to running these Splunk containers in a large cluster.

from docker-splunk.

@nwang92 Awesome that you found a difference! I was hoping I wasn't crazy :-D

In our case, our app is not public, as it potentially exposes IP and product capabilities to our competitors. However, my use case for this environment is intended to be a local, completely isolated demo/POV setup, with all required components already available in the repository. The app is already part of the local repo, so it would not be desired to have to upload it to an HTTP server just so the build script can access it. If there's a way to reference a local archive or mapped folder (either via a volume or through a COPY build command) that would be ideal.

from docker-splunk.

Going to close this - the code is currently in develop right now if you want to build your own images for now. But it will be released as part of 7.2.4 (expected to come out next week). I also added a test case that bind-mounts full app directories to the running container and validates that apps get registered in Splunk with this PR: #120

from docker-splunk.