Hi folks.

I posted here recently exploring how to automatically add an index when docker-compose is bringing up the splunk container.  That post is at https://forums.docker.com/t/add-an-entrypoint-and-command-without-messing-up-the-invocation/123686

I had it working, but it no longer does, and I somewhat-suspect a docker volume problem as well as somewhat-suspect a permissions issue, and also somewhat suspect an OS upgrade.  But I really don't know what the problem is.

Inside the splunk container, I see:

[root@splunk splunk]# cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0

[http://splunk_hec_token]
disabled = 0
token = really-big-token-thingie

Which is really not what I want.

And outside the splunk container (on the MacOS side), I see:

$ cat splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/inputs.conf
cmd output started 2022 Mon May 02 04:19:43 PM PDT
[http]
disabled = 0

[http://splunk_hec_token]
disabled = 0
token = really-big-token-thingie
index = dev_game-publishing

That is what I want.

In my docker-compose, I have (among other things) :

volumes:

- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/ /opt/splunk/etc/apps/splunk_httpinput/local/

(That long volume line is all-one-line.  It may or may not be wrapping when you view it, though it is wrapping in this editor)

I tried both setting up a volume for the entire directory, as well as just that one file.    I'm hearing that doing an entire directory tends to be more reliable, but both failed the same way.

The directory containing the file is owned by splunk and has restrictive permissions:

[ansible@splunk splunk]$ cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
cat: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf: Permission denied
[ansible@splunk splunk]$ ls -l /opt/splunk/etc/apps/splunk_httpinput/
total 12
drwxr-xr-x 2 splunk splunk 4096 Jan 15 03:31 default
drwx------ 2 splunk splunk 4096 May 2 22:14 local
drwx------ 2 splunk splunk 4096 May 2 22:14 metadata
[ansible@splunk splunk]$

Which explains why the ansible user can't cat it.  But is ansible painting itself into a corner and preventing itself from making all the changes I need?

I also upgraded from MacOS 11.x to 12.3 in between when this was working, and when it stopped.  I don't know if that's related or not.

I have next to no Splunk and even less Ansible.

Thanks for any and all suggestions!