Cloud environment using Docker splunk

djindal · ‎12-08-2023

Hello team

I am facing issue in setting up cloud like architecture using docker-splunk

I am following this page: https://github.com/splunk/docker-splunk/blob/develop/docs/advanced/DISTRIBUTED_TOPOLOGY.md

And I am getting error in starting SH and CM containers

getting below error on sh1

fatal: [localhost]: FAILED! => {
    "attempts": 60,
    "changed": false,
    "cmd": [
        "/opt/splunk/bin/splunk",
        "init",
        "shcluster-config",
        "-auth",
        "admin:Abc@1234",
        "-mgmt_uri",
        "https://sh1:8089",
        "-replication_port",
        "9887",
        "-replication_factor",
        "2",
        "-conf_deploy_fetch_url",
        "https://dep1:8089",
        "-secret",
        "",
        "-shcluster_label",
        "shc_label"
    ],
    "delta": "0:00:00.593771",
    "end": "2023-12-06 07:05:46.787788",
    "rc": 22,
    "start": "2023-12-06 07:05:46.194017"
}

STDERR:

WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Required parameter secret does not have a value.

And error on starting cm1 container

fatal: [localhost]: FAILED! => {
2023-12-07 11:02:09     "attempts": 5,
2023-12-07 11:02:09     "changed": false,
2023-12-07 11:02:09     "cmd": [
2023-12-07 10:59:48 core/2.11/user_guide/become.html#risks-of-becoming-an-unprivileged-user
2023-12-07 10:59:49 [WARNING]: Using world-readable permissions for temporary files Ansible needs
2023-12-07 10:59:49 to create when becoming an unprivileged user. This may be insecure. For
2023-12-07 10:59:49 information on securing this, see https://docs.ansible.com/ansible-
2023-12-07 10:59:49 core/2.11/user_guide/become.html#risks-of-becoming-an-unprivileged-user
2023-12-07 10:59:49 [WARNING]: Using world-readable permissions for temporary files Ansible needs
2023-12-07 10:59:49 to create when becoming an unprivileged user. This may be insecure. For
2023-12-07 10:59:49 information on securing this, see https://docs.ansible.com/ansible-
2023-12-07 10:59:49 core/2.11/user_guide/become.html#risks-of-becoming-an-unprivileged-user
2023-12-07 10:59:49 [WARNING]: Using world-readable permissions for temporary files Ansible needs
2023-12-07 10:59:49 to create when becoming an unprivileged user. This may be insecure. For
2023-12-07 10:59:49 information on securing this, see https://docs.ansible.com/ansible-
2023-12-07 10:59:49 core/2.11/user_guide/become.html#risks-of-becoming-an-unprivileged-user
2023-12-07 11:02:09         "/opt/splunk/bin/splunk",
2023-12-07 11:02:09         "start",
2023-12-07 11:02:09         "--accept-license",
2023-12-07 11:02:09         "--answer-yes",
2023-12-07 11:02:09         "--no-prompt"
2023-12-07 11:02:09     ],
2023-12-07 11:02:09     "delta": "0:00:15.870844",
2023-12-07 11:02:09     "end": "2023-12-07 05:32:09.015177",
2023-12-07 11:02:09     "rc": 1,
2023-12-07 11:02:09     "start": "2023-12-07 05:31:53.144333"
2023-12-07 11:02:09 }
2023-12-07 11:02:09 
2023-12-07 11:02:09 STDOUT:
2023-12-07 11:02:09 
2023-12-07 11:02:09 
2023-12-07 11:02:09 Splunk> Take the sh out of IT.
2023-12-07 11:02:09 
2023-12-07 11:02:09 Checking prerequisites...
2023-12-07 11:02:09     Checking http port [8000]: open
2023-12-07 11:02:09     Checking mgmt port [8089]: open
2023-12-07 11:02:09     Checking appserver port [127.0.0.1:8065]: open
2023-12-07 11:02:09     Checking kvstore port [8191]: open
2023-12-07 11:02:09     Checking configuration... Done.
2023-12-07 11:02:09     Checking critical directories...        Done
2023-12-07 11:02:09     Checking indexes...
2023-12-07 11:02:09             Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
2023-12-07 11:02:09     Done
2023-12-07 11:02:09     Checking filesystem compatibility...  Done
2023-12-07 11:02:09     Checking conf files for problems...
2023-12-07 11:02:09     Done
2023-12-07 11:02:09     Checking default conf files for edits...
2023-12-07 11:02:09     Validating installed files against hashes from '/opt/splunk/splunk-9.1.2-b6b9c8185839-linux-2.6-x86_64-manifest'
2023-12-07 11:02:09     All installed files intact.
2023-12-07 11:02:09     Done
2023-12-07 11:02:09 All preliminary checks passed.
2023-12-07 11:02:09 
2023-12-07 11:02:09 Starting splunk server daemon (splunkd)...  
2023-12-07 11:02:09 Done
2023-12-07 11:02:09 
2023-12-07 11:02:09 
2023-12-07 11:02:09 Waiting for web server at http://127.0.0.1:8000 to be available............
2023-12-07 11:02:09 
2023-12-07 11:02:09 WARNING: web interface does not seem to be available!
2023-12-07 11:02:09 
2023-12-07 11:02:09 
2023-12-07 11:02:09 STDERR:
2023-12-07 11:02:09 
2023-12-07 11:02:09 PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
2023-12-07 11:02:09 
2023-12-07 11:02:09 
2023-12-07 11:02:09 MSG:
2023-12-07 11:02:09 
2023-12-07 11:02:09 non-zero return code
2023-12-07 11:02:09 
2023-12-07 11:02:09 PLAY RECAP *********************************************************************
2023-12-07 11:02:09 localhost                  : ok=60   changed=2    unreachable=0    failed=1    skipped=48   rescued=0    ignored=0   
2023-12-07 11:02:09

I am using this yaml file

version: "3.6"

networks:
  splunknet:
    driver: bridge
    attachable: true

services:
  sh1:
    networks:
      splunknet:
        aliases:
          - sh1
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: sh1
    container_name: sh1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_search_head_captain
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI=/tmp/defaults/splunk_license_expire_on_January_02_2024.License
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  sh2:
    networks:
      splunknet:
        aliases:
          - sh2
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: sh2
    container_name: sh2
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_search_head
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI=/tmp/defaults/splunk_license_expire_on_January_02_2024.License
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  sh3:
    networks:
      splunknet:
        aliases:
          - sh3
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: sh3
    container_name: sh3
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_search_head
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI=/tmp/defaults/splunk_license_expire_on_January_02_2024.License
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  dep1:
    networks:
      splunknet:
        aliases:
          - dep1
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: dep1
    container_name: dep1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_deployer
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  cm1:
    networks:
      splunknet:
        aliases:
          - cm1
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: cm1
    container_name: cm1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_cluster_master
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  idx1:
    networks:
      splunknet:
        aliases:
          - idx1
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: idx1
    container_name: idx1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_indexer
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  idx2:
    networks:
      splunknet:
        aliases:
          - idx2
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: idx2
    container_name: idx2
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_indexer
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  idx3:
    networks:
      splunknet:
        aliases:
          - idx3
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: idx3
    container_name: idx3
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_indexer
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

  idx4:
    networks:
      splunknet:
        aliases:
          - idx4
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: idx4
    container_name: idx4
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_INDEXER_URL=idx1,idx2,idx3,idx4
      - SPLUNK_SEARCH_HEAD_URL=sh2,sh3
      - SPLUNK_SEARCH_HEAD_CAPTAIN_URL=sh1
      - SPLUNK_CLUSTER_MASTER_URL=cm1
      - SPLUNK_ROLE=splunk_indexer
      - SPLUNK_DEPLOYER_URL=dep1
      - SPLUNK_PASSWORD=Abc@1234
      - SPLUNK_LICENSE_URI
      - SPLUNK_APPS_URL
      - DEBUG=true
    ports:
      - 8000
      - 8089
    volumes:
      - ./defaults:/tmp/defaults

Can someone help me resolve this?

Cloud environment using Docker splunk

search head clustering

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...