I'm unable to get Splunk to run in docker using a newer MBP with an M1 Max chip on a fresh install of Monterey, as well as a fresh install on an M1 Mac mini. I've played with as many settings as I could think, but can't seem to find an error that indicates what's really going on. As far as I can tell, splunkd starts and binds to port 8089, but Splunk Web fails to bind to port 8000, despite the port being available. Things I tried and some thoughts: - My initial thought is that port 8000 was being used by something else, so I tried many other ports with no success. Though, I had no evidence of this (using netstat) - I then thought that maybe there was a firewall entry not being added correctly so I checked iptables, it doesn't exist. I then checked firewalld, also doesn't appear to exist. so no firewall? - I had a friend take my exact docker compose file and install the everything on an older, non-up-to-date MacBook Air running on an intel chip. That worked... - I also tried adjusting the timeout values listed in the sensible vars list, that didn't seem to work. Where am I supposed to mount the docker.yaml file to? Where I mounted it didn't work. the var, SPLUNK_CONNECTION_TIMEOUT, added directly to the compose file didn't make a difference either - I even tried starting Splunk with debug mode and saw nothing helpful there. The actual output, noticing the time taken under Start Splunk via CLI and failed=1: sh1 | PLAY RECAP ********************************************************************* sh1 | localhost : ok=51 changed=7 unreachable=0 failed=1 skipped=48 rescued=0 ignored=0 sh1 | sh1 | Friday 14 January 2022 21:48:52 +0000 (0:04:22.382) 0:05:46.139 ******** sh1 | =============================================================================== sh1 | splunk_common : Start Splunk via CLI ---------------------------------- 262.38s sh1 | splunk_common : Get Splunk status --------------------------------------- 8.02s sh1 | splunk_common : Update Splunk directory owner --------------------------- 6.01s sh1 | Gathering Facts --------------------------------------------------------- 5.73s sh1 | splunk_common : Generate user-seed.conf (Linux) ------------------------- 4.70s sh1 | splunk_common : Cleanup Splunk runtime files ---------------------------- 4.30s sh1 | splunk_common : Update /opt/splunk/etc ---------------------------------- 3.87s sh1 | splunk_common : Check for scloud ---------------------------------------- 3.00s sh1 | splunk_common : Hash the password --------------------------------------- 2.77s sh1 | splunk_common : Find manifests ------------------------------------------ 2.52s sh1 | splunk_common : Remove input SSL settings ------------------------------- 2.22s sh1 | splunk_common : Check for existing installation ------------------------- 2.21s sh1 | splunk_common : Create .ui_login ---------------------------------------- 2.21s sh1 | splunk_common : Check if /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key exists --- 2.19s sh1 | splunk_common : Enable splunktcp input ---------------------------------- 2.18s sh1 | splunk_common : Enable Splunkd SSL -------------------------------------- 2.18s sh1 | splunk_common : Enable Web SSL ------------------------------------------ 2.18s sh1 | splunk_common : Trigger restart ----------------------------------------- 2.17s sh1 | splunk_common : Remove splunktcp-ssl input ------------------------------ 2.16s sh1 | splunk_common : Set Splunkd Connection Timeout -------------------------- 2.16s sh1 exited with code 2 Here's the docker-compose (worked on the older Mac): version: "3.9" services: sh1: platform: linux/amd64 image: splunk/splunk:latest container_name: sh1 environment: - SPLUNK_START_ARGS=--accept-license - SPLUNK_PASSWORD=Passw0rd! - SPLUNK_ROLE=splunk_search_head - SPLUNK_HTTP_PORT=8000 - SPLUNK_CONNECTION_TIMEOUT=300 ports: - 8000:8000 - 8089:8089 Any thoughts? Can someone on OS12.1 with an M1 chip get this to work? Additionally, can someone running OS12.1 with an intel chip validate that this works? Maybe the issue is with the M1 chip, not the OS version. Or maybe it's just an issue with 12.1. Edit: I now have evidence that the the compose file I posted works on an intel based Mac running the 12.1. Therefore, I think it's safe to say the issue is one of compatibility between the Splunk-Docker image and the M1 Mac.
... View more