docker-splunk-legacy icon indicating copy to clipboard operation
docker-splunk-legacy copied to clipboard

Published 20 hours ago verified publisher icon splunk

kubernetes 1.9.4 breaking universal forwarder with ConfigMap

Open erks opened this issue 6 years ago • 13 comments

Using ConfigMap to manage splunk universal forwarder's config has been working well until the release of 1.9.4, which included this security fix.

ConfigMap now gets mounted as read-only always, which breaks this container due to the chown commands in entrypoint.sh.

See: https://answers.splunk.com/answers/626964/kubernetes-194-breaking-changes-universal-forwarde.html

erks avatar Apr 16 '18 19:04 erks

@mchene ^

halr9000 avatar Apr 16 '18 19:04 halr9000

@erks I've alerted PM and got ack back that they will triage.

halr9000 avatar Apr 17 '18 18:04 halr9000

@halr9000 if you're okay with doing chown ... || true, which seems to work for me, I can create a quick PR for that.

erks avatar Apr 17 '18 18:04 erks

Any updates? Any temporary fix or work-around?

rayh0001 avatar Apr 27 '18 21:04 rayh0001

@rayh0001 Mount your config maps inside /var/opt/splunk/etc instead of directly inside ${SPLUNK_HOME}. This fix works because the entrypoint copies the files over before trying to change the ownership https://github.com/splunk/docker-splunk/blob/master/universalforwarder/entrypoint.sh#L24

ffscl avatar Apr 28 '18 03:04 ffscl

Thanks @ffscl I just tested it in a Kubernetes v1.10.2 cluster and this fixes the issue, I used:

        volumeMounts:
        - name: ufconfig
          mountPath: /var/opt/splunk/etc/apps/search/local

And still reference any file with $SPLUNK_HOME

guilhemmarchand avatar May 01 '18 22:05 guilhemmarchand

Thanks @ffscl @guilhemmarchand that seems to work

rayh0001 avatar May 02 '18 17:05 rayh0001

This definitely should be documented. @halr9000

erks avatar May 02 '18 17:05 erks

@guilhemmarchand Works like a charm!!

vasartori avatar Jun 06 '18 22:06 vasartori

@ffscl That worked like a charm! Thank goodness I found this otherwise I might have gone crazy.

mychalsexton avatar Jul 06 '18 22:07 mychalsexton

Sorry I am not getting what solved the issue here... I updated daemonset yaml with:

volumeMounts:
        - name: ufconfig
          mountPath: /var/opt/splunk/etc/apps/search/local

But nothing seems to work. Please let me know what exactly need to be done to resolve the issue

sharmmoh1983 avatar Jul 25 '18 07:07 sharmmoh1983

@sharmmoh1983 If you are using Splunk Cloud, you need to mount the ConfigMap to /var/opt/splunk/etc/apps/splunkclouduf/default

sforsman avatar Sep 26 '18 11:09 sforsman

Can't get this to work with a daemonset and configmaps. Does anyone has any working example with splunkforwarder:7.3.0 ?

pgilad avatar Jun 22 '19 10:06 pgilad