Install splunk v7.0.3 on rhel9

Karinaoist · ‎11-02-2024

I have this docker file when my base image is red-hat9

ENV SPLUNK_PRODUCT splunk
ENV SPLUNK_VERSION 7.0.3
ENV SPLUNK_BUILD fa31da744b51
ENV SPLUNK_FILENAME splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-x86_64.tgz

ENV SPLUNK_HOME /opt/splunk
ENV SPLUNK_GROUP splunk
ENV SPLUNK_USER splunk
ENV SPLUNK_BACKUP_DEFAULT_ETC /var/opt/splunk
ENV OPTIMISTIC_ABOUT_FILE_LOCKING=1

RUN groupadd -r ${SPLUNK_GROUP} \
&& useradd -r -m -g ${SPLUNK_GROUP} ${SPLUNK_USER}

RUN dnf -y update \
&& dnf -y install --setopt=install_weak_deps=False glibc-langpack-en glibc-all-langpacks \
&& localedef -i en_US -f UTF-8 en_US.UTF-8 || echo "Locale generation failed" \
&& dnf clean all
ENV LANG en_US.UTF-8

# pdfgen dependency
RUN dnf -y install krb5-libs \
&& dnf clean all

# Download official Splunk release, verify checksum and unzip in /opt/splunk
# Also backup etc folder, so it will be later copied to the linked volume
RUN dnf -y install wget sudo
RUN mkdir -p ${SPLUNK_HOME} \
&& wget -qO /tmp/${SPLUNK_FILENAME} https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FIL...} \
&& wget -qO /tmp/${SPLUNK_FILENAME}.md5 https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FIL... \
&& (cd /tmp && md5sum -c ${SPLUNK_FILENAME}.md5) \
&& tar xzf /tmp/${SPLUNK_FILENAME} --strip 1 -C ${SPLUNK_HOME} \
&& rm /tmp/${SPLUNK_FILENAME} \
&& rm /tmp/${SPLUNK_FILENAME}.md5 \
&& dnf -y remove wget \
&& dnf clean all \
&& mkdir -p /var/opt/splunk \
&& cp -R ${SPLUNK_HOME}/etc ${SPLUNK_BACKUP_DEFAULT_ETC} \
&& rm -fR ${SPLUNK_HOME}/etc \
&& chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_HOME} \
&& chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_BACKUP_DEFAULT_ETC}

COPY etc/ /opt/splunk/etc/
COPY license.xml /splunk-license.xml
COPY entrypoint.sh /sbin/entrypoint.sh
RUN chmod +x /sbin/entrypoint.sh

EXPOSE 9998/tcp
EXPOSE 9999/tcp

WORKDIR /opt/splunk

ENV SPLUNK_CMD edit user admin -password admin -auth admin:changeme --accept-license --no-prompt
ENV SPLUNK_CMD_1 add licenses /splunk-license.xml -auth admin:admin
ENV SPLUNK_START_ARGS --accept-license --answer-yes

VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ]

ENTRYPOINT ["/sbin/entrypoint.sh"]
CMD ["start-service"]

I also mount volumes in /data/splunk

And use this command to run the container from the host

docker run \
    --name splunk \
    --hostname splunk \
    -d \
    -p 80:8000 \
    -p 8088:8088 \
    -p 8089:8089 \
    -p 9998:9998 \
    -p 9999:9999 \
    -v $splunkVarRoot:/opt/splunk/var \
    -v $splunkEtcRoot:/opt/splunk/etc \
    -e "SPLUNK_START_ARGS=--accept-license --answer-yes" \
    $IMPL_DOCKER_REPO/$splunkVersion

docker run \
    --name splunk \
    --hostname splunk \
    -d \
    -p 80:8000 \
    -p 8088:8088 \
    -p 8089:8089 \
    -p 9998:9998 \
    -p 9999:9999 \
    -v /data/splunk/var:/opt/splunk/var \
    -v /data/splunk/etc:/opt/splunk/etc \
    -e "SPLUNK_START_ARGS=--accept-license --answer-yes" \
    my_image

The UI is working and seems ok but I don't see any data and I get this 'kv store process terminated abnormally exit code 1'
What should I do

PickleRick · ‎11-02-2024

1. Why would you use version 7.0.3???

2. Why use the container anyway?

3. You're exposing port 8000 as 80. Are you planning on running unprotected HTTP?

4. Did you look into the logs?

5. We have no idea what is in your entrypoint.sh

6. Why not just install the rpm (even if inside the container)?

Install splunk v7.0.3 on rhel9

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Install splunk v7.0.3 on rhel9

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem