docker-splunk icon indicating copy to clipboard operation
docker-splunk copied to clipboard

Published 20 hours ago verified publisher icon splunk

Splunk 9.1.3 has a regression on the `SPLUNKD_SSL_ENABLE` variable

Open Amndeep7 opened this issue 1 year ago • 2 comments
trafficstars

Running docker run -it --rm -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=Valid_password!" -e "SPLUNKD_SSL_ENABLE=false" -e GITHUB_ACTIONS=true -e CI=true -p 8089:8089 -p 8088:8088 -v "/$(pwd)/test/configs/splunk/server.conf":"/etc/system/local/server.conf" splunk/splunk:9.1.2 works w/r to spinning up a usable splunk instance.

Github actions run that contains the ansible output: https://github.com/mitre/heimdall2/actions/runs/7718282174/job/21039190919?pr=5410

var/log/splunkd.log output from a locally spun up container: https://gist.github.com/Amndeep7/9d65c8dedd0739cc82bc682295bcc6f0

Running docker run -it --rm -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=Valid_password!" -e "SPLUNKD_SSL_ENABLE=false" -e GITHUB_ACTIONS=true -e CI=true -p 8089:8089 -p 8088:8088 -v "/$(pwd)/test/configs/splunk/server.conf":"/etc/system/local/server.conf" splunk/splunk:latest causes the container to eventually timeout in an unhealthy state.

Github actions run that contains the ansible output: https://github.com/mitre/heimdall2/actions/runs/7716678293/job/21034050807?pr=5410

var/log/splunkd.log output from a locally spun up container: https://gist.github.com/Amndeep7/539aec96e2c1a02a40a9c863986f41bd

The server.conf file is extremely minimal.

test/configs/splunk/server.conf 
$ cat test/configs/splunk/server.conf
#  List of the HTTP Origins for which to return Access-Control-Allow-* (CORS)
#   headers.
#  These headers tell browsers that web applications are trusted at those sites
#   to make requests to the REST interface.
#  The origin is passed as a URL without a path component (for example
#   "https://app.example.com:8000").
#  This setting can take a list of acceptable origins, separated
#   by spaces and/or commas.
#  Each origin can also contain wildcards for any part.  Examples:
#     *://app.example.com:*  (either HTTP or HTTPS on any port)
#     https://*.example.com  (any host under example.com, including
#     example.com itself)
#  An address can be prefixed with a '!' to negate the match, with
#   the first matching origin taking precedence.  For example,
#   "!*://evil.example.com:* *://*.example.com:*" to not avoid
#   matching one host in a domain
#  A single "*" can also be used to match all origins
#  No default.

[httpServer]
crossOriginSharingPolicy = *

Amndeep7 avatar Jan 30 '24 23:01 Amndeep7

Could this be related to the removal of Python2 support?

yarick avatar Jan 31 '24 00:01 yarick

Looking at the patch notes, it might also have been something that accidentally broke when work was done with the HEC envvars.

Amndeep7 avatar Jan 31 '24 18:01 Amndeep7

Retrying on the latest splunk/splunk image, which I believe is 9.2.1, has worked. I believe this regression has been resolved, so I am closing this issue.

Amndeep7 avatar May 17 '24 15:05 Amndeep7