From 8a56fea5f0573b0835cda707e10b307a5fd88c51 Mon Sep 17 00:00:00 2001 From: Mike Dickey Date: Tue, 11 Jun 2019 18:25:44 -0700 Subject: [PATCH 1/9] Added /opt/splunk/etc to image and made some updates to splunk's home directory --- splunk/common-files/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/splunk/common-files/Dockerfile b/splunk/common-files/Dockerfile index f30642ce..4906ce04 100644 --- a/splunk/common-files/Dockerfile +++ b/splunk/common-files/Dockerfile @@ -21,16 +21,15 @@ FROM ${SPLUNK_BASE_IMAGE}:latest as package ARG SPLUNK_BUILD_URL COPY splunk/common-files/make-minimal-exclude.py /tmp RUN python /tmp/make-minimal-exclude.py ${SPLUNK_BUILD_URL} > /tmp/splunk-minimal-exclude.list -RUN echo "Downloading Splunk and validating the checksum at: ${SPLUNK_BUILD_URL}" RUN wget -qO /tmp/splunk.tgz ${SPLUNK_BUILD_URL} RUN wget -qO /tmp/splunk.tgz.md5 ${SPLUNK_BUILD_URL}.md5 RUN test $(md5sum /tmp/splunk.tgz | sed 's,\([a-z0-9]*\).*,\1,') = $(cat /tmp/splunk.tgz.md5 | sed 's,MD5.*=.\([a-z0-9]*\).*,\1,') -RUN mkdir -p /opt/splunk/var /minimal/splunk/var /extras/splunk/var +RUN mkdir -p /minimal/splunk/var /extras/splunk/var RUN tar -C /minimal/splunk --strip 1 --exclude-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/splunk.tgz RUN tar -C /extras/splunk --strip 1 --wildcards --files-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/splunk.tgz RUN mv /minimal/splunk/etc /minimal/splunk-etc RUN mv /extras/splunk/etc /extras/splunk-etc -RUN mkdir -p /minimal/splunk/share/splunk/search_mrsparkle/modules.new +RUN mkdir -p /minimal/splunk/etc /minimal/splunk/share/splunk/search_mrsparkle/modules.new COPY splunk/common-files/apps /extras/splunk-etc/apps/ @@ -56,7 +55,8 @@ COPY [ "splunk/common-files/updateetc.sh", "/sbin/" ] # Setup users and groups RUN groupadd -r -g ${GID} ${SPLUNK_GROUP} \ - && useradd -r -m -u ${UID} -g ${GID} ${SPLUNK_USER} \ + && useradd -r -m -u ${UID} -g ${GID} -s /sbin/nologin -d ${SPLUNK_HOME} ${SPLUNK_USER} \ + && chown -R splunk.splunk ${SPLUNK_HOME} \ && chmod 755 /sbin/updateetc.sh COPY --from=package --chown=splunk:splunk /minimal /opt From f569f1bd1e72b02da0db88ada797879549aa358a Mon Sep 17 00:00:00 2001 From: Zolvaring Date: Wed, 12 Jun 2019 10:23:01 -0700 Subject: [PATCH 2/9] Remove trailing slash for SPLUNK_HOME Removes a trailing slash when setting the SPLUNK_HOME variable, which may cause Indexers to fail with the message "ERROR: Couldn't read "/opt/splunk//etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?" due to duplicate slashes. --- .../splunk-indexer-statefulset-persistent.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test_scenarios/kubernetes/3idxc3shc1cm1lm1dep-pvc/splunk-indexer-statefulset-persistent.yaml b/test_scenarios/kubernetes/3idxc3shc1cm1lm1dep-pvc/splunk-indexer-statefulset-persistent.yaml index 7a26212b..7707b836 100644 --- a/test_scenarios/kubernetes/3idxc3shc1cm1lm1dep-pvc/splunk-indexer-statefulset-persistent.yaml +++ b/test_scenarios/kubernetes/3idxc3shc1cm1lm1dep-pvc/splunk-indexer-statefulset-persistent.yaml @@ -49,7 +49,7 @@ spec: image: splunk/splunk:latest env: - name: SPLUNK_HOME - value: /opt/splunk/ + value: /opt/splunk - name: SPLUNK_DEFAULTS_URL value: http://splunk-defaults/default.yml - name: SPLUNK_START_ARGS From 2181c28143f5329167fdb981ab5e20eacae91de8 Mon Sep 17 00:00:00 2001 From: Nelson Wang Date: Mon, 17 Jun 2019 17:06:06 -0700 Subject: [PATCH 3/9] Adding docs on UF sidecar model --- docs/EXAMPLES.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/docs/EXAMPLES.md b/docs/EXAMPLES.md index 4414df3e..7cfb47ad 100644 --- a/docs/EXAMPLES.md +++ b/docs/EXAMPLES.md @@ -20,6 +20,7 @@ Note that for more complex scenarios, we will opt to use a [Docker compose file] * [Create search head cluster](#create-search-head-cluster) * [Create indexer cluster and search head cluster](#create-indexer-cluster-and-search-head-cluster) * [Enable root endpoint on SplunkWeb](#enable-root-endpoint-on-splunkweb) +* [Create sidecar forwarder](#create-sidecar-forwarder) * [More](#more) ## Create standalone from CLI @@ -808,5 +809,47 @@ $ SPLUNK_PASSWORD= docker-compose up -d Then, visit SplunkWeb on your browser with the root endpoint in the URL, such as `http://localhost:8000/splunkweb`. +## Create sidecar forwarder +
k8s-sidecar.yml

+ +``` +apiVersion: v1 +kind: Pod +metadata: + name: example +spec: + containers: + - name: splunk-uf + image: splunk/universalforwarder:latest + env: + - name: SPLUNK_START_ARGS + value: --accept-license + - name: SPLUNK_PASSWORD + value: helloworld + - name: SPLUNK_CMD + value: add monitor /var/log/ + - name: SPLUNK_STANDALONE_URL + value: splunk.company.internal + volumeMounts: + - name: shared-data + mountPath: /var/log + - name: my-app + image: my-app + volumeMounts: + - name: shared-data + mountPath: /app/logs/ + volumes: + - name: shared-data + emptyDir: {} +``` +

+ +Execute the following to bring up your deployment: +``` +$ kubectl apply -f k8s-sidecar.yml +``` + +After your pod is ready, the universal forwarder will be reading the logs generated by your app via the shared volume mount. In the ideal case, your app is generating the logs while the forwarder is reading them and streaming the output to a separate Splunk instance located at splunk.company.internal. + ## More There are a variety of Docker compose scenarios in the `docker-splunk` repo [here](https://github.com/splunk/docker-splunk/tree/develop/test_scenarios). Please feel free to use any of those for reference in terms of different topologies! From 36817b11ff85455646726879f2d1facd25f11bd0 Mon Sep 17 00:00:00 2001 From: Brent Boe Date: Mon, 17 Jun 2019 18:45:37 -0700 Subject: [PATCH 4/9] Seems to cause an issue with downstream images --- splunk/common-files/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/splunk/common-files/Dockerfile b/splunk/common-files/Dockerfile index 4906ce04..33e699a5 100644 --- a/splunk/common-files/Dockerfile +++ b/splunk/common-files/Dockerfile @@ -55,7 +55,7 @@ COPY [ "splunk/common-files/updateetc.sh", "/sbin/" ] # Setup users and groups RUN groupadd -r -g ${GID} ${SPLUNK_GROUP} \ - && useradd -r -m -u ${UID} -g ${GID} -s /sbin/nologin -d ${SPLUNK_HOME} ${SPLUNK_USER} \ + && useradd -r -m -u ${UID} -g ${GID} ${SPLUNK_USER} \ && chown -R splunk.splunk ${SPLUNK_HOME} \ && chmod 755 /sbin/updateetc.sh From 2501c9fe51ce3a6c8af15c86b721d3f24c64dc2a Mon Sep 17 00:00:00 2001 From: Brent Boe Date: Mon, 17 Jun 2019 20:50:37 -0700 Subject: [PATCH 5/9] removing chown --- splunk/common-files/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/splunk/common-files/Dockerfile b/splunk/common-files/Dockerfile index 33e699a5..f3d4702d 100644 --- a/splunk/common-files/Dockerfile +++ b/splunk/common-files/Dockerfile @@ -56,7 +56,6 @@ COPY [ "splunk/common-files/updateetc.sh", "/sbin/" ] # Setup users and groups RUN groupadd -r -g ${GID} ${SPLUNK_GROUP} \ && useradd -r -m -u ${UID} -g ${GID} ${SPLUNK_USER} \ - && chown -R splunk.splunk ${SPLUNK_HOME} \ && chmod 755 /sbin/updateetc.sh COPY --from=package --chown=splunk:splunk /minimal /opt From 8f2fc485339e35d8aebd437dd6798654a850f291 Mon Sep 17 00:00:00 2001 From: Brent Boe Date: Wed, 19 Jun 2019 18:25:43 -0700 Subject: [PATCH 6/9] Not too thrilled about this, maybe we should change the splunk and ansible to use the same group --- splunk/common-files/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/splunk/common-files/Dockerfile b/splunk/common-files/Dockerfile index f3d4702d..9c70e0ac 100644 --- a/splunk/common-files/Dockerfile +++ b/splunk/common-files/Dockerfile @@ -105,6 +105,7 @@ RUN sed -i -e 's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL/g' / && mkdir ${CONTAINER_ARTIFACT_DIR} \ && chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} $CONTAINER_ARTIFACT_DIR \ && chmod -R 555 ${SPLUNK_ANSIBLE_HOME} \ + && chmod -R 777 ${CONTAINER_ARTIFACT_DIR} \ && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh USER ${ANSIBLE_USER} From 22f40af7a3b11fd118369410818e8cfc1844ddd4 Mon Sep 17 00:00:00 2001 From: Brent Boe Date: Thu, 20 Jun 2019 13:42:34 -0700 Subject: [PATCH 7/9] Updating splunk version to 7.3.0 --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d28161b9..0ec32515 100644 --- a/Makefile +++ b/Makefile @@ -7,8 +7,8 @@ SPLUNK_ANSIBLE_BRANCH ?= develop SPLUNK_COMPOSE ?= cluster_absolute_unit.yaml # Set Splunk version/build parameters here to define downstream URLs and file names SPLUNK_PRODUCT := splunk -SPLUNK_VERSION := 7.2.6 -SPLUNK_BUILD := c0bf0f679ce9 +SPLUNK_VERSION := 7.3.0 +SPLUNK_BUILD := 657388c7a488 ifeq ($(shell arch), s390x) SPLUNK_ARCH = s390x else From 38774b6bcc84553bca19b0c51cd574062f6f3aac Mon Sep 17 00:00:00 2001 From: Mike Dickey Date: Tue, 9 Jul 2019 11:15:52 -0700 Subject: [PATCH 8/9] Updated script used to generate list of files to exclude from minimal images, so that it supports major version numbers greater than 7. Note that manual review of file diffs for every major.minor and corresponding updates for this script is still recommended. --- splunk/common-files/make-minimal-exclude.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/splunk/common-files/make-minimal-exclude.py b/splunk/common-files/make-minimal-exclude.py index f461da17..54a9c3ce 100755 --- a/splunk/common-files/make-minimal-exclude.py +++ b/splunk/common-files/make-minimal-exclude.py @@ -41,3 +41,6 @@ print "*/etc/apps/gettingstarted*" else: print "*/etc/apps/splunk_metrics_workspace*" + elif int(m.group(1)) > 7: + print EXCLUDE_V7 + print "*/etc/apps/splunk_metrics_workspace*" From f19478301aa2f03034284b4f40f48f233ea1e055 Mon Sep 17 00:00:00 2001 From: tonyl Date: Wed, 31 Jul 2019 14:16:00 -0700 Subject: [PATCH 9/9] Release content --- Makefile | 4 ++-- docs/CHANGELOG.md | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 0ec32515..aa16f2c2 100644 --- a/Makefile +++ b/Makefile @@ -7,8 +7,8 @@ SPLUNK_ANSIBLE_BRANCH ?= develop SPLUNK_COMPOSE ?= cluster_absolute_unit.yaml # Set Splunk version/build parameters here to define downstream URLs and file names SPLUNK_PRODUCT := splunk -SPLUNK_VERSION := 7.3.0 -SPLUNK_BUILD := 657388c7a488 +SPLUNK_VERSION := 7.3.1 +SPLUNK_BUILD := bd63e13aa157 ifeq ($(shell arch), s390x) SPLUNK_ARCH = s390x else diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 98291180..f30f99e9 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -2,6 +2,7 @@ ## Navigation +* [7.3.1](#731) * [7.3.0](#730) * [7.2.7](#727) * [7.2.6](#726) @@ -15,6 +16,24 @@ --- +## 7.3.1 + +#### What's New? +* New Splunk Enterprise release of 7.3.1 + +#### docker-splunk changes: +* Bumping Splunk version. For details, see: https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fixedissues +* Documentation update +* Minor bug fixes + +#### splunk-ansible changes: +* Fixed Enterprise Security application installation issues +* Refactored Systemd +* Fixed Ansible formatting issue +* Cleaned up Python files before install + +--- + ## 7.3.0 #### What's New?