我正在使用 this Kubernetes 上的 Splunk 镜像(使用 minikube 进行本地测试)。
应用下面的代码后,我面临以下错误:
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?
我的 Splunk 部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: splunk
labels:
app: splunk-app
tier: splunk
spec:
selector:
matchLabels:
app: splunk-app
track: stable
replicas: 1
template:
metadata:
labels:
app: splunk-app
tier: splunk
track: stable
spec:
volumes:
- name: configmap-inputs
configMap:
name: splunk-config
containers:
- name: splunk-client
image: splunk/splunk:latest
imagePullPolicy: Always
env:
- name: SPLUNK_START_ARGS
value: --accept-license --answer-yes
- name: SPLUNK_USER
value: root
- name: SPLUNK_PASSWORD
value: changeme
- name: SPLUNK_FORWARD_SERVER
value: splunk-receiver:9997
ports:
- name: incoming-logs
containerPort: 514
volumeMounts:
- name: configmap-inputs
mountPath: /opt/splunk/etc/system/local/inputs.conf
subPath: "inputs.conf"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: splunk-config
data:
inputs.conf: |
[monitor:///opt/splunk/var/log/syslog-logs]
disabled = 0
index=my-index
我还尝试添加这个 env 变量 - 但没有成功:
- name: SPLUNK_HOME
value: /opt/splunk
- name: SPLUNK_ETC
value: /opt/splunk/etc
我已经使用以下 测试了图像 docker 配置 - 并成功运行 :
version: '3.2'
services:
splunk-forwarder:
hostname: splunk-client
image: splunk/splunk:latest
environment:
SPLUNK_START_ARGS: --accept-license --answer-yes
SPLUNK_USER: root
SPLUNK_PASSWORD: changeme
ports:
- "8089:8089"
- "9997:9997"
锯this在 Splunk 论坛上,但答案对我没有帮助。
有任何想法吗?
编辑#1:
Minikube 版本:从
v0.33.1 升级至 v1.2.0 .完整的错误日志:
$kubectl logs -l tier=splunk
splunk_common : Set first run fact -------------------------------------- 0.04s
splunk_common : Set privilege escalation user --------------------------- 0.04s
splunk_common : Set current version fact -------------------------------- 0.04s
splunk_common : Set splunk install fact --------------------------------- 0.04s
splunk_common : Set docker fact ----------------------------------------- 0.04s
Execute pre-setup playbooks --------------------------------------------- 0.04s
splunk_common : Setting upgrade fact ------------------------------------ 0.04s
splunk_common : Set target version fact --------------------------------- 0.04s
Determine captaincy ----------------------------------------------------- 0.04s
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?
编辑 #2:将配置映射添加到代码中(为简洁起见,已从原始问题中删除)。 这就是失败的原因 .
最佳答案
根据@Amit-Kumar-Gupta 指出的方向,我也会尝试提供完整的解决方案。
所以this PR更改使得容器无法写入 secret , configMap , downwardAPI和投影卷,因为运行时现在将它们挂载为只读。
此更改自 v1.9.4 起并且可能导致各种应用程序出现问题,这些应用程序会更改或以其他方式操纵其配置。
当 Splunk 启动时,它会在 ${SPLUNK_HOME} 下的文件系统上的各个位置注册所有配置文件。这就是我们的案例 /opt/splunk .
我的问题中指定的错误反射(reflect)了 splunk 无法操作 /opt/splunk/etc 中的所有相关文件。目录,因为挂载机制发生了变化。
现在为解决方案。
而不是直接在 /opt/splunk/etc 中挂载配置文件目录,我们将使用以下设置:
我们将使用 default.yml 启动 docker 容器将挂载在 /tmp/defaults/default.yml 中的文件.
为此,我们将创建 default.yml文件:docker run splunk/splunk:latest create-defaults > ./default.yml
然后,我们去splunk:阻止并添加 config:它下面的子块:
splunk:
conf:
inputs:
directory: /opt/splunk/etc/system/local
content:
monitor:///opt/splunk/var/log/syslog-logs:
disabled : 0
index : syslog-index
outputs:
directory: /opt/splunk/etc/system/local
content:
tcpout:splunk-indexer:
server: splunk-indexer:9997
此设置将生成两个带有
.conf 的文件。后缀(请记住,子块以 conf: 开头)由正确的 Splunk 用户和组拥有。inputs:部分将产生 inputs.conf具有以下内容:[monitor:///opt/splunk/var/log/syslog-logs]
disabled = 0
index=syslog-index
以类似的方式,
outputs:块将类似于以下内容:[tcpout:splunk-receiver]
server=splunk-receiver:9997
这不是像我在原始代码中那样直接传递环境变量:
SPLUNK_FORWARD_SERVER: splunk-receiver:9997
现在一切都已启动并运行(:
forwarder.yaml 的完整设置:apiVersion: apps/v1
kind: Deployment
metadata:
name: splunk-forwarder
labels:
app: splunk-forwarder-app
tier: splunk
spec:
selector:
matchLabels:
app: splunk-forwarder-app
track: stable
replicas: 1
template:
metadata:
labels:
app: splunk-forwarder-app
tier: splunk
track: stable
spec:
volumes:
- name: configmap-forwarder
configMap:
name: splunk-forwarder-config
containers:
- name: splunk-forwarder
image: splunk/splunk:latest
imagePullPolicy : Always
env:
- name: SPLUNK_START_ARGS
value: --accept-license --answer-yes
- name: SPLUNK_PASSWORD
valueFrom:
secretKeyRef:
name: splunk-secret
key: password
volumeMounts:
- name: configmap-forwarder
mountPath: /tmp/defaults/default.yml
subPath: "default.yml"
进一步阅读:
https://splunk.github.io/docker-splunk/ADVANCED.html
https://github.com/splunk/docker-splunk/blob/develop/docs/ADVANCED.md
https://www.splunk.com/blog/2018/12/17/deploy-splunk-enterprise-on-kubernetes-splunk-connect-for-kubernetes-and-splunk-insights-for-containers-beta-part-1.html
https://splunk.github.io/splunk-ansible/ADVANCED.html#inventory-script
https://static.rainfocus.com/splunk/splunkconf18/sess/1521146368312001VwQc/finalPDF/FN1089_DockerizingSplunkatScale_Final_1538666172485001Loc0.pdf
关于docker - 无法在 Kubernetes 上挂载 Splunk 配置 - 错误 : Couldn't read "/opt/splunk/etc/splunk-launch. conf,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57485801/