Repeatedly returning to the login page: "Your session has expired. Log in..." about docker-splunk HOT 6 CLOSED

are you running multiple containers on the same host? If so, the session-key cookie will break as it's tracked by the url of the host.

from docker-splunk.

are you running multiple containers on the same host?

Yes.

Each container uses a different set of port numbers. For example, for Splunk Web:

http://myhost:18000/

http://myhost:28000/

If so, the session-key cookie will break as it's tracked by the url of the host.

Sorry, I don't know what you mean by "url of the host".

I understand the terms hostname, port, and URL.

From one of the example URLs I quoted above:

• The hostname is myhost
• The port is 18000
• The Splunk Web URL is http://myhost:18000/. By definition, the URL includes the port.

In Google Chrome developer tools, I see this:

Are you saying that Splunk Web session tracking does not distinguish between URLs with the same hostname but different ports?

from docker-splunk.

your cookies are a little deceiving, the cookies you have are actually "session_id_8000, splunkd_8000" etc, they aren't segregated. To splunk internal to a container, the session_id was created for the port splunk_web think's it's running on. In your case, the issue is that splunk is being proxied to 18000, and the cookie stores the wrong port. Splunk supports running on any port, but this problem frequently happens when it's behind a LB or docker / proxy. Splunk has some internal SPL's open to address this issue, but until those are resolved, this issue will happen anytime you run multiple splunk on the same host.
. Sorry for the inconvenience this causes!

from docker-splunk.

Splunk has some internal SPL's open to address this issue, but until those are resolved, this issue will happen anytime you run multiple splunk on the same host.

Ouch! Thanks for the clarification, much appreciated.

I was wrong about this:

switching Splunk inside the containers to a Splunk Free license would make this issue go away.

because I've just experienced this issue with Splunk Free.

The bleeding obvious: this is a real gotcha for anyone using this Splunk Docker image. This behavior is Docker-unfriendly:

this issue will happen anytime you run multiple splunk on the same host.

from docker-splunk.

I'm not sure what to write about this restriction in the user documentation for my Docker image.

"Don't run more than one Splunk container on the same Docker host"?!

That sounds to me like a (bad) joke; completely contrary to the idea of Docker containers.

Any suggestions?

Would you consider adding a corresponding item to the Troubleshooting topic? (I'm imagining myself as a new user of my Docker image, reading about that restriction, and thinking, "Wait, that can't be true. What do the developers of the base Splunk Docker image have to say about this?")

from docker-splunk.

A local colleague has just looked at this issue, and suggested something I wish I'd thought of: when you start a Docker container, pass an environment variable that sets the Splunk Web port.

We looked at the table of supported environment variables under the documentation heading "Environment variables for Splunk instance", but that table did not list a corresponding environment variable.

We tried this anyway:

docker run -d -e SPLUNK_HTTP_PORT=8001 ... -p 8500:8001 ...

Yep, that worked. Browsing to http://myhost:8500 shows Splunk Web.

We opened a second tab in the same browser to another instance of Splunk Web on a different port of the same host, where the Splunk Web port inside the container was the default 8000.

We then looked at the site cookies in the browser:

cval
session_id_8000
session_id_8001
splunkd_8000
splunkd_8001
splunkweb_csrf_token_8000
splunkweb_csrf_token_8001
splunkweb_uid

Note: In case it's significant, both of these Splunk instances are using the Free license.

Only cval and splunkweb_uid are without port-specific qualifiers.

So far, so good: neither instance of Splunk Web has displayed the dreaded "Your session has expired" message. I'll report back here again if it happens.

Could you please update that table of environment variables to include SPLUNK_HTTP_PORT.

With sincere thanks to my colleague (you know who you are 😉 ).

from docker-splunk.