Archive

Is there a Solaris SMF manifest for Splunk?

Path Finder

Hey, Pete! You keep rambling about the SMF. Can we see your manifest?

1 Solution

Path Finder

Why sure!

This manifest runs splunk on solaris systems, as the user 'splunk', and grants it the net_privaddr (allowing it to bind to ports < 1024) and file_dac_read (allowing it to read any file on the system) privileges.

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='site/splunk' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <single_instance/>
    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    </dependency>
    <dependency name='splunk_multi-user' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/multi-user'/>
    </dependency>
    <dependency name='splunk_network' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/network'/>
    </dependency>
    <dependency name='splunk-binary' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/bin/splunk'/>
    </dependency>
    <dependency name='splunk-license' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/etc/splunk.license'/>
    </dependency>
    <dependent name='splunk_multi-user-server' restart_on='none' grouping='optional_all'>
      <service_fmri value='svc:/milestone/multi-user-server'/>
    </dependent>
    <method_context project=':default' resource_pool=':default' working_directory=':default'>
      <method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
      <method_environment>
        <envvar name='HOME' value='/opt/splunk'/>
      </method_environment>
    </method_context>
    <exec_method name='start' type='method' exec='/opt/splunk/bin/splunk %m --accept-license' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='stop' type='method' exec='/opt/splunk/bin/splunk %m' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='refresh' type='method' exec='/opt/splunk/bin/splunk restart' timeout_seconds='600'>
      <method_context/>
    </exec_method>
    <stability value='Unstable'/>
    <template>
      <common_name>
        <loctext xml:lang='C'>splunk log server</loctext>
      </common_name>
    </template>
  </service>
</service_bundle>

View solution in original post

Engager

if you change your shell to BASH, you will be able to use tab to auto-complete

Communicator

I found this page useful and want to share the results of my own maiden try of solaris 10 /intel x64 box. did all this as root.

Splunk's guide for solaris install is rather vague. It won't even cover on how to use the file in the 1st place.

here's the real steps.

In your solaris box. Download splunk (assuming firefox is used and puts it in to a folder called /Download) then open terminal.

cd /Downloads

Uncompress it

uncompress splunk.(whatever version+build u use).intel.pkg.Z

Install it

pkgadd -d (name of the extracted file.pkg)

When you screw up, this is helpful. uninstall command.

pkgrm splunk

For SMF to work, I had to:

1) make sure that splunk is not enabled at boot start. 2) splunk license accepted. 3) i did not have to create another user account and elevate splunk's rights

Useful commands to know for use in terminal of solaris.

svcs splunk

svcadm enable splunk

svcadm disable splunk

A similar reference that i had used to create the SMF service.

http://pluto.potsdam.edu/ezproxywiki/index.php/Solaris_SMF_Manifest_for_EZproxy

I can't remember the times i had to refer to this doc.

One more tip. in solaris, download the pkg.Z file and rename it to something shorter (keeping pkg.z, of course). Wished i had done it earlier because would have saved me a lot of time typing in the filename. You can't use the tab key to auto-complete in solaris, unlike ubuntu. (maybe some one can shed a light on this?)

New Member

This is awesome stuff! Thanks for taking the time to post this. When referencing the link you provided to ezproxy, as it compares to splunk, if the machine splunk is on (as a forwarder), for /lib/svc/method, should I simply create an empty file called splunkforwarder and link this to the binary for splunk in /opt/splunkforwarder/bin?

0 Karma

Motivator

As djalton mentions as a separate answer, using bash will allow tab-completion.

Solaris's default shell is still Bourne, which doesn't have that functionality.

Path Finder

Why sure!

This manifest runs splunk on solaris systems, as the user 'splunk', and grants it the net_privaddr (allowing it to bind to ports < 1024) and file_dac_read (allowing it to read any file on the system) privileges.

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='site/splunk' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <single_instance/>
    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    </dependency>
    <dependency name='splunk_multi-user' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/multi-user'/>
    </dependency>
    <dependency name='splunk_network' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/network'/>
    </dependency>
    <dependency name='splunk-binary' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/bin/splunk'/>
    </dependency>
    <dependency name='splunk-license' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/etc/splunk.license'/>
    </dependency>
    <dependent name='splunk_multi-user-server' restart_on='none' grouping='optional_all'>
      <service_fmri value='svc:/milestone/multi-user-server'/>
    </dependent>
    <method_context project=':default' resource_pool=':default' working_directory=':default'>
      <method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
      <method_environment>
        <envvar name='HOME' value='/opt/splunk'/>
      </method_environment>
    </method_context>
    <exec_method name='start' type='method' exec='/opt/splunk/bin/splunk %m --accept-license' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='stop' type='method' exec='/opt/splunk/bin/splunk %m' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='refresh' type='method' exec='/opt/splunk/bin/splunk restart' timeout_seconds='600'>
      <method_context/>
    </exec_method>
    <stability value='Unstable'/>
    <template>
      <common_name>
        <loctext xml:lang='C'>splunk log server</loctext>
      </common_name>
    </template>
  </service>
</service_bundle>

View solution in original post

Path Finder

For bonus points PDE, any creative solutions to still using restartSplunkd=true in my Deployment Server's serverclass.conf and not ending up with all my forwarders in SMF maintenance mode every time I want to push a change?

Splunk Employee
Splunk Employee

This post used to have an unnecessary DEBUG flag that I just removed.

0 Karma