docker-splunk
docker-splunk copied to clipboard
splunk
Provide minimal container for Splunk HEC
It is very common to deploy Splunk HEC in Kubernetes clusters. It would be ideal to have a container image has just what is needed to run Splunk HEC server.
- reduce image size
- reduce CVE
Providing a Helm chart a good idea also.
I second that. This is the biggest image we have, over 1Gbi, pulling it into new location takes a few hours
it would be nice if there was some indication of whether such a patch would land.
additionally, its not clear what the basic requirements are for such an image - is it just the compiled go binary from this repo? https://github.com/splunk/splunk-cloud-sdk-go/releases/tag/v1.11.1
https://download.splunk.com/products/splunk/releases/8.2.5/linux/splunk-8.2.5-77015bc7a462-Linux-x86_64.tgz - this thing actually weighs 592mb
https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-Linux-x86_64.tgz - this one only weighs 35 mb.
actually you can get even the full image in half the size of the one published by this repo:
FROM debian:stable-slim
ARG tarball
RUN mkdir /splunk
WORKDIR /splunk
RUN --mount=type=bind,target=/tmp/ext,source=.,ro bash -c "\
tar --exclude-from=/tmp/ext/exclude-files.txt -xzf /tmp/ext/$tarball &&\
mv /splunk/splunk /tmp/contents &&\
rmdir /splunk &&\
mv /tmp/contents /splunk\
"
where the "exclude-files.txt" is these lines:
https://github.com/splunk/docker-splunk/blob/a47a11fbc13a235c727bf3552060f4f81bfeb2fc/splunk/common-files/make-minimal-exclude.py#L5-L31
by my count, thie approach nets you an image with this many bytes: 294543508 (294 mb). A similar technique could probably be applied to get a slim forwarder image. it needs DOCKER_BUILDKIT=1 (https://stackoverflow.com/q/66839443) to work. going to ping code owners in a couple days to see if these improvements should be worked on - that is, if there is any chance whatsoever of them landing.