Add an entrypoint and command, without messing up the invocation?

General
,
1

Hi people.

I don’t have a lot of docker or docker-compose experience.

I’m attempting to set up Splunk inside a docker container using docker-compose (this part was easy), and customize the startup behavior (this I’m finding more difficult).

I started out with:

  so1:
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    container_name: so1
    environment:                                                                                                                         - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_HEC_TOKEN=xxxxxxxx
      # the password for the "admin" user
      - SPLUNK_PASSWORD=yyyyyyyy
      # - SPLUNK_HOME=${SPLUNK_HOME}
    ports:
      - 8000:8000

And that worked great. I can log into splunk on localhost:8000 and run queries, create indexes, etcetera.

However, I want to auto-create an index from outside splunk, on first container startup. For that, I switched to:

  so1:
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    container_name: so1
    environment:                                                                                                                         - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_HEC_TOKEN=xxxxxxxx
      # the password for the "admin" user
      - SPLUNK_PASSWORD=yyyyyyyy
      # - SPLUNK_HOME=${SPLUNK_HOME}
    ports:
      - 8000:8000
    volumes:
      - ./splunk-files/:/splunk-files/
    entrypoint: /bin/bash
    command: /splunk-files/start

…but the startup behavior totally changed, and I don’t know why. There were config files I had to manually copy that I didn’t need to copy before, and there were log directories I needed to create that I didn’t need to create before.

The container is based on RHEL, and customizing it appears to require an RHEL entitlement - so adding packages probably isn’t going to happen.

Any suggestions? How can I figure out what command to invoke from /splunk-files/start, to get comparable behavior to that seen without the entrypoint+command?

Inside /splunk-files/start, I’m running “/sbin/entrypoint.sh --accept-license start-service”.

Thanks!

2

Hi

So if i understand you correctly, in your “/splunk-files/start” script, you have: /sbin/entrypoint.sh --accept-license start-service ? because I guess that should work.

How are you creating this index? I dont know your use case, but I would create a new image, based on Splunks, and create a new app where the index configuration is, or maybe just map the configuration file into the container

3

Yes, among other things, /splunk-files/start has:
/sbin/entrypoint.sh --accept-license start-service

My intention is to background it, wait for a port to start listening, sleep a little, create the index, and wait on the splunk background process.

But just “/sbin/entrypoint.sh --accept-license start-service” doesn’t work.

I’m unfamiliar with how to create “an image”. Is there some doc about that or something?

4

If its only for creating index (or other splunk releated settings), then i would do:

#> mkdir -p MyApp/local/
#> vi MyApp/local/indexes.conf

add:
[YOUR-INDEX-NAME]
coldPath = $SPLUNK_DB/YOUR-INDEX-NAME/colddb
homePath = $SPLUNK_DB/YOUR-INDEX-NAME/db
thawedPath = $SPLUNK_DB/YOUR-INDEX-NAME/thaweddb
maxTotalDataSizeMB = 10240

#> vi Dockerfile
 
FROM splunk/splunk:latest
COPY MyApp /opt/splunk/etc/apps/MyApp

Run:

 #> docker build -t mysplunkimage:latest .

then in your 'image: ’ in your docker-compose, replace the current value with: mysplunkimage:latest

have fun with your new index :slight_smile: