Getting Data In

Why has the Splunk Enterprise Trial license already expired in a brand new Docker container?

Graham_Hanningt
Builder

I'm using a Docker image, created in 2017, whose dockerfile specifies:

from splunk/splunk:6.6.3

The image is available from Docker Hub:

https://hub.docker.com/r/fundisoftware/taw-splunk/

I, and other users, have successfully used this image many times to create containers.

Today, however, I had a nasty surprise. I created a container with a typical command:

docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p 38000:8000 -p 38089:8089 -p 31514:1514 --name taw-splunk fundisoftware/taw-splunk:v0.0

The docker log for the new container shows the message:

Your license is expired. Please login as an administrator to update the license.
I thought the license clock only starts ticking after installation. In the context of a Docker container: I thought the clock starts ticking when I create the Docker container.

From the Splunk admin manual topic "Types of Splunk software licenses":

The Enterprise Trial license expires 60 days after you start using Splunk software.

I'm clearly missing something. Why has this license already expired? Because it's an old Splunk version?

I've now switched the Splunk installation in the container to a Free license, and it's working fine, but this issue causes problems in an entrypoint shell script (defined in the dockerfile) that attempts to stream JSON Lines to the newly started Splunk in the container.

One thought: Is there any way to immediately switch to a Free license; say, via environment variables passed by the docker run command?

0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Hey Graham!

I am going to assume the image has an old license in there and needs to be rebuilt.

Are you able to try a newer tag for the time being?

https://hub.docker.com/r/splunk/splunk/tags/

- MattyMo

View solution in original post

0 Karma

Graham_Hanningt
Builder

Update, November 2020: this issue has recurred, with the now-old Splunk 7.2.0-based Docker image. Not just reoccurred: I believe this issue is likely to occur periodicallyI had incorrectly assumed that there was some issue with the "license clock" code in 6.6.3 that had since been solved, but that appears to be untrue.

I'm leaning against ever distributing another pre-packaged, all-in-one Docker image (Splunk + app + sample data). Unless I commit to keeping up with latest the Splunk version; at least, every so often.

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey Graham!

I am going to assume the image has an old license in there and needs to be rebuilt.

Are you able to try a newer tag for the time being?

https://hub.docker.com/r/splunk/splunk/tags/

- MattyMo
0 Karma

Graham_Hanningt
Builder

I've upgraded my Docker image to Splunk 7.2.0. (My Dockerfile now specifies from splunk/splunk:7.2.0 instead of ...6.6.3.)

That fixed the problem. For how long? I wish I knew.

0 Karma

Graham_Hanningt
Builder

Thanks for the suggestion. Yes, that occurred to me, too. I'm on leave for the next couple of days; next week, I'm going to change the from statement in the dockerfile to refer to the latest tag and hope there are no breaking changes that affect my dashboard definitions (it's been several months since I last looked at this stuff).

an old license in there and needs to be rebuilt.

I don't understand the reference to "old license in there", but I'm not surprised; it's clear to me now that I don't understand how license expiry works. With thanks again for the suggestion to move to a newer tag, I'd also appreciate any insight you could offer me there (for example, what exactly do you mean by "old license in there"?).

I guess I didn't expect my Docker image to work forever, but I wasn't anticipating this expiry issue; I really did think that the license clock would start ticking from 0 for each new Docker container, but I'm clearly wrong about that.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...