Getting Data In

Docker container Splunk unable to assign or use privileged ports under 1024, ignore NET_BIND_SERVICE ?

deodion
Path Finder

Splunk 7.3.0

docker -v
Docker version 18.09.6, build 481bc77156
cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
uname -r
5.1.9-1.el7.elrepo.x86_64

Docker network is custom bridge with default settings, I use container FRRouting with EIGRP enabled to make Splunk container reachable from outside world,

I tried (and many other things):

docker run -d \
--privileged \
--name SPLUNK-HF \
--network "Custom Bridge" \
--hostname SPLUNK-HF \
--ip 10.10.10.13 \
-v /opt/SPLUNK-HF/etc:/opt/splunk/etc \
-v /opt/SPLUNK-HF/var:/opt/splunk/var \
--restart always \
-e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=admin123' \
splunk/splunk

docker run -d \
--privileged \
--name SPLUNK-HF \
--network "Custom Bridge" \
--hostname SPLUNK-HF \
--ip 10.10.10.13 \
-v /opt/SPLUNK-HF/etc:/opt/splunk/etc \
-v /opt/SPLUNK-HF/var:/opt/splunk/var \
--restart always \
--user root \
-e 'SPLUNK_USER=root' \
-e 'SPLUNK_GROUP=root' \
-e 'ANSIBLE_USER=root' \
-e 'ANSIBLE_GROUP=root' \
-e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=admin123' \
splunk/splunk

Enabled container capabilities:
NET_BIND_SERVICE

I have inputs.conf:
[udp://51400]
connection_host = ip
sourcetype = test
index = test
no_appending_timestamp = true
disabled = 0

[udp://514]
connection_host = ip
sourcetype = test
index = test
no_appending_timestamp = true
disabled = 0

From inside Splunk container: netstat -an | grep :514
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
udp 0 0 0.0.0.0:51400 0.0.0.0:*
netstat: /proc/net/raw6: No such file or directory

changing splunk AND ansible user/group makes the container took long time to restart, i suppose it does not like it,

I can not receive events from udp 514 and pretty much below 1024 for sure,

Does Splunk 7.3 container support and assigning privileged ports?
NET_BIND_SERVICE does not working?

I see someone say try kernel host level: systctl net.ipv4.ip_unprivileged_port_start=0
But it does not work either,

Thanks!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...