Splunk indexer running in docker container overwrites inputs.conf on docker restart

Question

I am trying to 'upgrade' Splunk from 7.2.5 to 8.0.3. Splunk is running on a RHEL7 VM in a docker container from Splunk. (We not actually upgrading Splunk, we are moving to a new container on a new VM.) Through automation, we had modified our container's etc/system/local/inputs.conf to run with SSL according to the Splunk documentation, and in 7.2.5 this works.

In 8.0.3, we are finding that configuration entries in inputs.conf are being erased whenever we restart docker. (/opt/splunk is a folder mounted in the container so that it persists.) Splunk is not 'restoring' the file (for example, from the ../defaults folder) - from testing, we've discovered that some comments do survive, but the configuration entries for SSL are being deleted and Splunk 8 is not running using SSL.

server.conf is also getting clobbered.

Anyone else notice this behavior?

Before restart:

[default]
host = edb999320984
# BEGIN ANSIBLE MANAGED BLOCK
[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = /opt/splunk/etc/...
requireClientCert=false
# END ANSIBLE MANAGED BLOCK

After restart, all that remains is:

[splunktcp://9997]
disabled = 0
# BEGIN ANSIBLE MANAGED BLOCK

One other thing we notice is that with Splunk 7, the files are owned by 999:999. In Splunk 8, the owner/group is 41812:41812. However, adjusting for that, our config changes are still getting clobbered.

Answer 1

I have confirmed that the new Splunk 8 docker container is in fact generating the inputs.conf. The implementation has clearly changed somewhat between 7 and 8, and the S2S (Splunk-To-Splunk?) settings in the new version are triggering the rewrite (even though similar settings in the older version did not do that.) My team was able to follow the instructions for customizing defaults.yml given here https://splunk.github.io/docker-splunk/ADVANCED.html#using-defaultyml to turn off the S2S rewrites.