Splunk 7.3.0
docker -v
Docker version 18.09.6, build 481bc77156
cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
uname -r
5.1.9-1.el7.elrepo.x86_64
Docker network is custom bridge with default settings, I use container FRRouting with EIGRP enabled to make Splunk container reachable from outside world,
I tried (and many other things):
docker run -d \
--privileged \
--name SPLUNK-HF \
--network "Custom Bridge" \
--hostname SPLUNK-HF \
--ip 10.10.10.13 \
-v /opt/SPLUNK-HF/etc:/opt/splunk/etc \
-v /opt/SPLUNK-HF/var:/opt/splunk/var \
--restart always \
-e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=admin123' \
splunk/splunk
docker run -d \
--privileged \
--name SPLUNK-HF \
--network "Custom Bridge" \
--hostname SPLUNK-HF \
--ip 10.10.10.13 \
-v /opt/SPLUNK-HF/etc:/opt/splunk/etc \
-v /opt/SPLUNK-HF/var:/opt/splunk/var \
--restart always \
--user root \
-e 'SPLUNK_USER=root' \
-e 'SPLUNK_GROUP=root' \
-e 'ANSIBLE_USER=root' \
-e 'ANSIBLE_GROUP=root' \
-e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=admin123' \
splunk/splunk
Enabled container capabilities:
NET_BIND_SERVICE
I have inputs.conf:
[udp://51400]
connection_host = ip
sourcetype = test
index = test
no_appending_timestamp = true
disabled = 0
[udp://514]
connection_host = ip
sourcetype = test
index = test
no_appending_timestamp = true
disabled = 0
From inside Splunk container: netstat -an | grep :514
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
udp 0 0 0.0.0.0:51400 0.0.0.0:*
netstat: /proc/net/raw6: No such file or directory
changing splunk AND ansible user/group makes the container took long time to restart, i suppose it does not like it,
I can not receive events from udp 514 and pretty much below 1024 for sure,
Does Splunk 7.3 container support and assigning privileged ports?
NET_BIND_SERVICE does not working?
I see someone say try kernel host level: systctl net.ipv4.ip_unprivileged_port_start=0
But it does not work either,
Thanks!