docker - 无法在 Kubernetes 上挂载 Splunk 配置 - 错误 : Couldn't read "/opt/splunk/etc/splunk-launch. conf

Question

我正在使用 this Kubernetes 上的 Splunk 镜像(使用 minikube 进行本地测试)。

应用下面的代码后，我面临以下错误:

ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

我的 Splunk 部署:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: splunk
  labels:
    app: splunk-app
    tier: splunk
spec:
  selector:
    matchLabels:
      app: splunk-app
      track: stable
  replicas: 1
  template:
    metadata:
      labels:
        app: splunk-app
        tier: splunk
        track: stable
    spec:
      volumes:
      - name: configmap-inputs
        configMap:
           name: splunk-config
      containers:
      - name: splunk-client
        image: splunk/splunk:latest
        imagePullPolicy: Always
        env:
        - name: SPLUNK_START_ARGS
          value: --accept-license --answer-yes
        - name: SPLUNK_USER
          value: root
        - name: SPLUNK_PASSWORD
          value: changeme
        - name: SPLUNK_FORWARD_SERVER
          value: splunk-receiver:9997
        ports:
        - name: incoming-logs
          containerPort: 514
        volumeMounts:
          - name: configmap-inputs
            mountPath: /opt/splunk/etc/system/local/inputs.conf
            subPath: "inputs.conf"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: splunk-config
data:
  inputs.conf: |
    [monitor:///opt/splunk/var/log/syslog-logs]
    disabled = 0
    index=my-index

我还尝试添加这个 env 变量 - 但没有成功:

    - name: SPLUNK_HOME
      value: /opt/splunk
    - name: SPLUNK_ETC
      value: /opt/splunk/etc

我已经使用以下 测试了图像 docker 配置 - 并成功运行 :

version: '3.2'
services:
    splunk-forwarder:
      hostname: splunk-client
      image: splunk/splunk:latest
      environment:
        SPLUNK_START_ARGS: --accept-license --answer-yes
        SPLUNK_USER: root
        SPLUNK_PASSWORD: changeme
      ports:
      - "8089:8089"
      - "9997:9997"

锯 this在 Splunk 论坛上，但答案对我没有帮助。

有任何想法吗？

编辑#1:

Minikube 版本:从 v0.33.1 升级至 v1.2.0 .

完整的错误日志:

$kubectl logs -l tier=splunk

splunk_common : Set first run fact -------------------------------------- 0.04s
splunk_common : Set privilege escalation user --------------------------- 0.04s
splunk_common : Set current version fact -------------------------------- 0.04s
splunk_common : Set splunk install fact --------------------------------- 0.04s
splunk_common : Set docker fact ----------------------------------------- 0.04s
Execute pre-setup playbooks --------------------------------------------- 0.04s
splunk_common : Setting upgrade fact ------------------------------------ 0.04s
splunk_common : Set target version fact --------------------------------- 0.04s
Determine captaincy ----------------------------------------------------- 0.04s
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

编辑 #2:将配置映射添加到代码中(为简洁起见，已从原始问题中删除)。 这就是失败的原因 .

Answer 1

根据@Amit-Kumar-Gupta 指出的方向，我也会尝试提供完整的解决方案。

所以this PR更改使得容器无法写入 secret , configMap , downwardAPI和投影卷，因为运行时现在将它们挂载为只读。
此更改自 v1.9.4 起并且可能导致各种应用程序出现问题，这些应用程序会更改或以其他方式操纵其配置。

当 Splunk 启动时，它会在 ${SPLUNK_HOME} 下的文件系统上的各个位置注册所有配置文件。这就是我们的案例 /opt/splunk .
我的问题中指定的错误反射(reflect)了 splunk 无法操作 /opt/splunk/etc 中的所有相关文件。目录，因为挂载机制发生了变化。

现在为解决方案。

而不是直接在 /opt/splunk/etc 中挂载配置文件目录，我们将使用以下设置:

我们将使用 default.yml 启动 docker 容器将挂载在 /tmp/defaults/default.yml 中的文件.

为此，我们将创建 default.yml文件:docker run splunk/splunk:latest create-defaults > ./default.yml
然后，我们去splunk:阻止并添加 config:它下面的子块:

splunk:
  conf:
    inputs:
      directory: /opt/splunk/etc/system/local
      content:
          monitor:///opt/splunk/var/log/syslog-logs:
            disabled : 0
            index : syslog-index
    outputs:
      directory: /opt/splunk/etc/system/local
      content:
          tcpout:splunk-indexer:
            server: splunk-indexer:9997

此设置将生成两个带有 .conf 的文件。后缀(请记住，子块以 conf: 开头)由正确的 Splunk 用户和组拥有。
inputs:部分将产生 inputs.conf具有以下内容:

[monitor:///opt/splunk/var/log/syslog-logs]
disabled = 0
index=syslog-index

以类似的方式， outputs:块将类似于以下内容:

[tcpout:splunk-receiver]
server=splunk-receiver:9997

这不是像我在原始代码中那样直接传递环境变量:

SPLUNK_FORWARD_SERVER: splunk-receiver:9997

现在一切都已启动并运行(:
forwarder.yaml 的完整设置:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: splunk-forwarder
  labels:
    app: splunk-forwarder-app
    tier: splunk
spec:
  selector:
    matchLabels:
      app: splunk-forwarder-app
      track: stable
  replicas: 1
  template:
    metadata:
      labels:
        app: splunk-forwarder-app
        tier: splunk
        track: stable
    spec:
      volumes:
      - name: configmap-forwarder
        configMap:
          name: splunk-forwarder-config

      containers:
      - name: splunk-forwarder
        image: splunk/splunk:latest
        imagePullPolicy : Always
        env:
        - name: SPLUNK_START_ARGS
          value: --accept-license --answer-yes

        - name: SPLUNK_PASSWORD
          valueFrom:
            secretKeyRef:
              name: splunk-secret
              key: password

        volumeMounts:
        - name: configmap-forwarder
          mountPath: /tmp/defaults/default.yml
          subPath: "default.yml"

进一步阅读:

https://splunk.github.io/docker-splunk/ADVANCED.html

https://github.com/splunk/docker-splunk/blob/develop/docs/ADVANCED.md

https://www.splunk.com/blog/2018/12/17/deploy-splunk-enterprise-on-kubernetes-splunk-connect-for-kubernetes-and-splunk-insights-for-containers-beta-part-1.html

https://splunk.github.io/splunk-ansible/ADVANCED.html#inventory-script

https://static.rainfocus.com/splunk/splunkconf18/sess/1521146368312001VwQc/finalPDF/FN1089_DockerizingSplunkatScale_Final_1538666172485001Loc0.pdf