All Apps and Add-ons

Is there a Solaris SMF manifest for Splunk?

pde
Path Finder

Hey, Pete! You keep rambling about the SMF. Can we see your manifest?

1 Solution

pde
Path Finder

Why sure!

This manifest runs splunk on solaris systems, as the user 'splunk', and grants it the net_privaddr (allowing it to bind to ports < 1024) and file_dac_read (allowing it to read any file on the system) privileges.

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='site/splunk' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <single_instance/>
    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    </dependency>
    <dependency name='splunk_multi-user' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/multi-user'/>
    </dependency>
    <dependency name='splunk_network' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/network'/>
    </dependency>
    <dependency name='splunk-binary' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/bin/splunk'/>
    </dependency>
    <dependency name='splunk-license' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/etc/splunk.license'/>
    </dependency>
    <dependent name='splunk_multi-user-server' restart_on='none' grouping='optional_all'>
      <service_fmri value='svc:/milestone/multi-user-server'/>
    </dependent>
    <method_context project=':default' resource_pool=':default' working_directory=':default'>
      <method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
      <method_environment>
        <envvar name='HOME' value='/opt/splunk'/>
      </method_environment>
    </method_context>
    <exec_method name='start' type='method' exec='/opt/splunk/bin/splunk %m --accept-license' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='stop' type='method' exec='/opt/splunk/bin/splunk %m' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='refresh' type='method' exec='/opt/splunk/bin/splunk restart' timeout_seconds='600'>
      <method_context/>
    </exec_method>
    <stability value='Unstable'/>
    <template>
      <common_name>
        <loctext xml:lang='C'>splunk log server</loctext>
      </common_name>
    </template>
  </service>
</service_bundle>

View solution in original post

djalton
Engager

if you change your shell to BASH, you will be able to use tab to auto-complete

e82than
Communicator

I found this page useful and want to share the results of my own maiden try of solaris 10 /intel x64 box. did all this as root.

Splunk's guide for solaris install is rather vague. It won't even cover on how to use the file in the 1st place.

here's the real steps.

In your solaris box. Download splunk (assuming firefox is used and puts it in to a folder called /Download) then open terminal.

cd /Downloads

Uncompress it

uncompress splunk.(whatever version+build u use).intel.pkg.Z

Install it

pkgadd -d (name of the extracted file.pkg)

When you screw up, this is helpful. uninstall command.

pkgrm splunk

For SMF to work, I had to:

1) make sure that splunk is not enabled at boot start. 2) splunk license accepted. 3) i did not have to create another user account and elevate splunk's rights

Useful commands to know for use in terminal of solaris.

svcs splunk

svcadm enable splunk

svcadm disable splunk

A similar reference that i had used to create the SMF service.

http://pluto.potsdam.edu/ezproxywiki/index.php/Solaris_SMF_Manifest_for_EZproxy

I can't remember the times i had to refer to this doc.

One more tip. in solaris, download the pkg.Z file and rename it to something shorter (keeping pkg.z, of course). Wished i had done it earlier because would have saved me a lot of time typing in the filename. You can't use the tab key to auto-complete in solaris, unlike ubuntu. (maybe some one can shed a light on this?)

loadedmind
New Member

This is awesome stuff! Thanks for taking the time to post this. When referencing the link you provided to ezproxy, as it compares to splunk, if the machine splunk is on (as a forwarder), for /lib/svc/method, should I simply create an empty file called splunkforwarder and link this to the binary for splunk in /opt/splunkforwarder/bin?

0 Karma

mikelanghorst
Motivator

As djalton mentions as a separate answer, using bash will allow tab-completion.

Solaris's default shell is still Bourne, which doesn't have that functionality.

pde
Path Finder

Why sure!

This manifest runs splunk on solaris systems, as the user 'splunk', and grants it the net_privaddr (allowing it to bind to ports < 1024) and file_dac_read (allowing it to read any file on the system) privileges.

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='site/splunk' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <single_instance/>
    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    </dependency>
    <dependency name='splunk_multi-user' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/multi-user'/>
    </dependency>
    <dependency name='splunk_network' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/network'/>
    </dependency>
    <dependency name='splunk-binary' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/bin/splunk'/>
    </dependency>
    <dependency name='splunk-license' grouping='require_all' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost/opt/splunk/etc/splunk.license'/>
    </dependency>
    <dependent name='splunk_multi-user-server' restart_on='none' grouping='optional_all'>
      <service_fmri value='svc:/milestone/multi-user-server'/>
    </dependent>
    <method_context project=':default' resource_pool=':default' working_directory=':default'>
      <method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
      <method_environment>
        <envvar name='HOME' value='/opt/splunk'/>
      </method_environment>
    </method_context>
    <exec_method name='start' type='method' exec='/opt/splunk/bin/splunk %m --accept-license' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='stop' type='method' exec='/opt/splunk/bin/splunk %m' timeout_seconds='300'>
      <method_context/>
    </exec_method>
    <exec_method name='refresh' type='method' exec='/opt/splunk/bin/splunk restart' timeout_seconds='600'>
      <method_context/>
    </exec_method>
    <stability value='Unstable'/>
    <template>
      <common_name>
        <loctext xml:lang='C'>splunk log server</loctext>
      </common_name>
    </template>
  </service>
</service_bundle>

wmosher
Path Finder

For bonus points PDE, any creative solutions to still using restartSplunkd=true in my Deployment Server's serverclass.conf and not ending up with all my forwarders in SMF maintenance mode every time I want to push a change?

araitz
Splunk Employee
Splunk Employee

This post used to have an unnecessary DEBUG flag that I just removed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...