3

I am trying to create a Splunk universal forwarder image using the alpine:3.8 base image.

FROM alpine:3.8

ENV SPLUNK_PRODUCT universalforwarder
ENV SPLUNK_VERSION 6.3.1
ENV SPLUNK_BUILD f3e41e4b37b2
ENV SPLUNK_FILENAME splunkforwarder-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-x86_64.tgz
ENV SPLUNK_SERVER_HOST testapp:9997
ENV SPLUNK_HOME /opt/splunk
ENV SPLUNK_GROUP splunk
ENV SPLUNK_USER splunk
ENV SPLUNK_BACKUP_DEFAULT_ETC /var/opt/splunk
ENV SPLUNK_INDEX test
ENV FORWARD_HOSTNAME InstanceId

# Here we install GNU libc (aka glibc) and set C.UTF-8 locale as default.
RUN apk --no-cache add ca-certificates wget \
    && wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub \
    && wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk \
    && apk add glibc-2.28-r0.apk \
    && rm -rf /var/lib/apt/lists/*

# add splunk:splunk user
RUN addgroup --system ${SPLUNK_GROUP} \
    && adduser --system --ingroup ${SPLUNK_GROUP} ${SPLUNK_USER}

# Download official Splunk release, verify checksum and unzip in /opt/splunk
# Also backup etc folder, so it will be later copied to the linked volume
RUN apk add sudo curl\
    && mkdir -p ${SPLUNK_HOME} \
    && curl -o /tmp/${SPLUNK_FILENAME} https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILENAME} \
    && curl -o /tmp/${SPLUNK_FILENAME}.md5 https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILENAME}.md5 \
    && tar xzf /tmp/${SPLUNK_FILENAME} --strip 1 -C ${SPLUNK_HOME} \
    && rm /tmp/${SPLUNK_FILENAME} \
    && rm /tmp/${SPLUNK_FILENAME}.md5 \
    && mkdir -p /var/opt/splunk \
    && cp -R ${SPLUNK_HOME}/etc ${SPLUNK_BACKUP_DEFAULT_ETC} \
    && rm -fR ${SPLUNK_HOME}/etc \
    && chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_HOME} \
    && chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_BACKUP_DEFAULT_ETC} \
    && rm -rf /var/lib/apt/lists/*

COPY ./config /tmp/splunk

COPY patch-entrypoint.sh /sbin/entrypoint.sh
RUN chmod +x /sbin/entrypoint.sh

# Ports Splunk Daemon, Network Input, HTTP Event Collector
EXPOSE 8089/tcp 1514 8088/tcp

WORKDIR /opt/splunk

# Configurations folder, var folder for everyting (indexes, logs, kvstore)
VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ]

ENTRYPOINT ["/sbin/entrypoint.sh"]
CMD ["start-service"]

Now I am facing a couple of issues here:

  1. When I am running /opt/splunkforwarder/bin/splunk start --accept-license I am getting /opt/splunkforwarder/bin/splunk: not found.

I am using custom output.conf file. It's in config folder.

[tcpout]
defaultGroup = abc
disabled = false

[tcpout:abc]
server = _OUTPUT_SERVERS_
autoLB = true
compressed = false
useACK = true
sendCookedData = true

entrypoint.sh is the script which I am using to replace the environment variable from output.config and restart the Splunk but again restart is not working. How can I fix this?

halfer
  • 19,824
  • 17
  • 99
  • 186
Vikas Rathore
  • 8,242
  • 8
  • 35
  • 54

1 Answers1

5

AFAIK, alpine:3.8 doesn't ship with glibc, which Splunk requires. Is is possible that this is causing issues? Have you tried with a different base image?

Simon Duff
  • 2,631
  • 2
  • 7
  • 15
  • Thanks for helping. I tried with debian:wheezy. It is working fine. but size is the main issue. Is there any way I can use alpine and install the extra? – Vikas Rathore Nov 14 '18 at 23:18
  • 1
    Check the Alpine Wiki, https://wiki.alpinelinux.org/wiki/Running_glibc_programs It will increase the size however :( – Simon Duff Nov 15 '18 at 00:31
  • 1
    @VikasRathore Simon is correct, Splunkd depends on glibc, and will not work with musc libc. If you want to get a tiny image for forwarding containers and application logs from containers, I can suggest looking at the alternatives, we offer collectord (5Mb compressed image) https://www.outcoldsolutions.com – outcoldman Nov 15 '18 at 03:44
  • @outcoldman: thanks. I was using your docker image for my reference. Is there any free solutions on outcoldsolution.com which I can use?. I am doing these for research purpose only. – Vikas Rathore Nov 15 '18 at 10:28
  • @VikasRathore of course, we have free development licenses https://www.outcoldsolutions.com/contact/ – outcoldman Nov 15 '18 at 15:49
  • @SimonDuff: I am able to create the splunk docker image from my docker file(I have updated my working docker file above). Now I can see the splunk ui while navigating to localhost:8089. But how I can validate that the logs is now forwarded to my splunk server?. I have kept some dummy logs in /var/log/message. – Vikas Rathore Nov 19 '18 at 11:44
  • following this answer I created dedicated splunk docker bootstrap : eat alpine based logs using forwarder container, cf github.com/boly38/splunk-docker-bootstrap – boly38 Jul 24 '20 at 19:21