too much to list

Author: jonuwz

.images/splunk/Dockerfile

@@ -2,16 +2,48 @@ ARG VERSION=8.2.0
 ARG TOOL=splunk
 FROM splunk/${TOOL}:${VERSION}
 
+
 USER root
 
+# Do this 1st - it takes the longest
+RUN sed -i 's/41812/1000/g' /etc/passwd && \
+    sed -i 's/41812/1000/g' /etc/group && \
+    chown -R 1000:1000 /home/splunk /opt/splunk* 
+
 RUN update-ca-trust && \
     microdnf install -y vim git-core jq nmap net-tools lsof && \
     microdnf clean all
 
-RUN sed -i 's/41812/1000/g' /etc/passwd && \
-    sed -i 's/41812/1000/g' /etc/group && \
-    chown -R 1000:1000 /home/splunk /opt/splunk*
+RUN curl -s -L -f -o /tmp/tcpdump.rpm http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/tcpdump-4.9.3-1.el8.x86_64.rpm && \
+    rpm -i /tmp/tcpdump.rpm && \
+    rm /tmp/tcpdump.rpm
 
 ADD ./refresh /usr/bin/refresh
+ADD ./web.conf /tmp/web.conf
+RUN chown -R 1000:1000 /tmp/web.conf
+
+
+USER splunk
+
+# add splunk to the path
+RUN if [[ -e /opt/splunk-etc ]];then \
+        echo -e '\nexport PATH=$PATH:/opt/splunk/bin' >> $HOME/.bashrc ; fi
+
+RUN if [[ -e /opt/splunkforwarder-etc ]];then \
+        echo -e '\nexport PATH=$PATH:/opt/splunkforwarder/bin' >> $HOME/.bashrc ; fi
+
+# disable caching of web assets on splunk servers
+RUN if [[ -e /opt/splunk-etc ]];then \
+        mkdir -p /opt/splunk-etc/system/local && \
+        cp /tmp/web.conf /opt/splunk-etc/system/local/web.conf ; fi
+RUN rm -f /tmp/web.conf
+
+# install suit toolkit if splunk server
+RUN if [[ -e /opt/splunk-etc ]];then \
+        (curl -s -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash) && \
+        source ~/.bashrc && \
+        nvm install lts/fermium && \
+        npm install -g @splunk/create && \
+        npm install -g yarn ; fi
 
 USER ansible

.images/splunk/web.conf

@@ -0,0 +1,3 @@
+[settings]
+cacheEntriesLimit = 0
+cacheBytesLimit = 0

basic/docker-compose.yaml

@@ -2,40 +2,41 @@ version: '3.4'
 
 networks:
   default:
-    external:
-      name: apps
+    name: apps
 
 services:
 
   sbs:
-    image: local/splunk:8.1.3
+    image: local/splunk:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: splunk
     container_name: sbs
     hostname: sbs
     ports:
     - "8000:8000"
     - "8089:8089"
+    - "8088:8088"
     environment:
       SPLUNK_DISABLE_POPUPS: "true"
       LANG: en_US.utf8
       SPLUNK_ROLE: splunk_standalone
       SPLUNK_START_ARGS: --accept-license
       SPLUNK_PASSWORD: password
+      SPLUNK_HEC_TOKEN: password
     volumes:
     - ${HOME}/projects:/projects
 
   sbf:
-    image: local/universalforwarder:8.1.3
+    image: local/universalforwarder:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: universalforwarder
     container_name: sbf
     hostname: sbf

heavy_forwarder/docker-compose.yaml

@@ -0,0 +1,33 @@
+version: '3.4'
+
+networks:
+  default:
+    external:
+      name: apps
+
+services:
+
+  sh1:
+    image: local/splunk:8.2.6
+    build:
+      context: ../.images/splunk
+      network: host
+      args:
+        VERSION: 8.2.6
+        TOOL: splunk
+    container_name: hf1
+    hostname: hf1
+    ports:
+    - "8300:8000"
+    - "8389:8089"
+    environment:
+      LANG: en_US.utf8
+      SPLUNK_PASSWORD: password
+      SPLUNK_DISABLE_POPUPS: "true"
+      SPLUNK_START_ARGS: --accept-license
+      SPLUNK_ROLE: splunk_heavy_forwarder
+      SPLUNK_CLUSTER_MASTER_URL: cm1
+      SPLUNK_IDXC_PASS4SYMMKEY: cm_and_indexer_comms
+      SPLUNK_IDXC_DISCOVERYPASS4SYMMKEY: cm_and_forwarder_comms
+    volumes:
+    - ${HOME}/projects:/projects

indexer_singlesite/docker-compose.yaml

@@ -1,25 +1,50 @@
-version: '3.4'
+version: '3.6'
 
 networks:
   default:
-    external:
-      name: apps
+    name: apps
 
 services:
 
+  sh1:
+    profiles: [ "sh" ]
+    image: &image local/splunk:8.2.6
+    build:
+      context: ../.images/splunk
+      network: host
+      args:
+        VERSION: &version 8.2.6
+        TOOL: splunk
+    container_name: sh1
+    hostname: sh1
+    ports:
+    - "8100:8000"
+    - "8189:8089"
+    environment:
+      LANG: en_US.utf8
+      SPLUNK_PASSWORD: password
+      SPLUNK_DISABLE_POPUPS: "true"
+      SPLUNK_START_ARGS: --accept-license
+      SPLUNK_ROLE: splunk_search_head
+      SPLUNK_CLUSTER_MASTER_URL: cm1
+      SPLUNK_IDXC_PASS4SYMMKEY: cm_and_indexer_comms
+      SPLUNK_IDXC_DISCOVERYPASS4SYMMKEY: cm_and_forwarder_comms
+    volumes:
+    - ${HOME}/projects:/projects
+
   cm1:
-    image: local/splunk:8.1.3
+    image: *image
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: *version
         TOOL: splunk
     container_name: cm1
     hostname: cm1
     ports:
-    - "8100:8000"
-    - "8189:8089"
+    - "8101:8000"
+    - "8190:8089"
     environment:
       LANG: en_US.utf8
       SPLUNK_PASSWORD: password
@@ -36,15 +61,17 @@ services:
     - ${HOME}/projects:/projects
 
   idx1-1: 
-    image: local/splunk:8.1.3
+    image: *image
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: *version
         TOOL: splunk
     container_name: idx1-1
     hostname: idx1-1
+    ports:
+    - "8188:8088"
     environment:
       LANG: en_US.utf8
       SPLUNK_PASSWORD: password
@@ -53,16 +80,17 @@ services:
       SPLUNK_ROLE: splunk_indexer
       SPLUNK_CLUSTER_MASTER_URL: cm1
       SPLUNK_IDXC_PASS4SYMMKEY: cm_and_indexer_comms
+      SPLUNK_HEC_TOKEN: password
     volumes:
     - ${HOME}/projects:/projects
 
   idx1-2: 
-    image: local/splunk:8.1.3
+    image: *image
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: *version
         TOOL: splunk
     container_name: idx1-2
     hostname: idx1-2

search_head/docker-compose.yaml

@@ -8,12 +8,12 @@ networks:
 services:
 
   sh1:
-    image: local/splunk:8.1.3
+    image: local/splunk:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: splunk
     container_name: sh1
     hostname: sh1

search_head_cluster/docker-compose.yaml

@@ -25,12 +25,12 @@ services:
     - ./haproxy:/usr/local/etc/haproxy
 
   deployer:
-    image: local/splunk:8.1.3
+    image: local/splunk:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: splunk
     container_name: deployer
     hostname: deployer
@@ -51,12 +51,12 @@ services:
   sh1:
     depends_on:
     - deployer
-    image: local/splunk:8.1.3
+    image: local/splunk:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: splunk
     container_name: sh1
     hostname: sh1
@@ -80,12 +80,12 @@ services:
   sh2:
     depends_on:
     - deployer
-    image: local/splunk:8.1.3
+    image: local/splunk:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: splunk
     container_name: sh2
     hostname: sh2
@@ -109,12 +109,12 @@ services:
   sh3:
     depends_on:
     - deployer
-    image: local/splunk:8.1.3
+    image: local/splunk:8.2.6
     build:
       context: ../.images/splunk
       network: host
       args:
-        VERSION: 8.1.3
+        VERSION: 8.2.6
         TOOL: splunk
     container_name: sh3
     hostname: sh3

searchhead_singlesite/docker-compose.yaml

@@ -0,0 +1,78 @@
+version: '3.4'
+
+networks:
+  default:
+    external:
+      name: apps
+
+services:
+
+  cm1:
+    image: local/splunk:8.2.6
+    build:
+      context: ../.images/splunk
+      network: host
+      args:
+        VERSION: 8.2.6
+        TOOL: splunk
+    container_name: cm1
+    hostname: cm1
+    ports:
+    - "8100:8000"
+    - "8189:8089"
+    environment:
+      LANG: en_US.utf8
+      SPLUNK_PASSWORD: password
+      SPLUNK_DISABLE_POPUPS: "true"
+      SPLUNK_START_ARGS: --accept-license
+      SPLUNK_ROLE: splunk_cluster_master
+      SPLUNK_CLUSTER_MASTER_URL: cm1
+      SPLUNK_IDXC_REPLICATION_FACTOR: 2
+      SPLUNK_IDXC_SEARCH_FACTOR: 2
+      SPLUNK_IDXC_LABEL: docker_idx
+      SPLUNK_IDXC_PASS4SYMMKEY: cm_and_indexer_comms
+      SPLUNK_IDXC_DISCOVERYPASS4SYMMKEY: cm_and_forwarder_comms
+    volumes:
+    - ${HOME}/projects:/projects
+ 
+  idx1-1: 
+    image: local/splunk:8.2.6
+    build:
+      context: ../.images/splunk
+      network: host
+      args:
+        VERSION: 8.2.6
+        TOOL: splunk
+    container_name: idx1-1
+    hostname: idx1-1
+    environment:
+      LANG: en_US.utf8
+      SPLUNK_PASSWORD: password
+      SPLUNK_DISABLE_POPUPS: "true"
+      SPLUNK_START_ARGS: --accept-license
+      SPLUNK_ROLE: splunk_indexer
+      SPLUNK_CLUSTER_MASTER_URL: cm1
+      SPLUNK_IDXC_PASS4SYMMKEY: cm_and_indexer_comms
+    volumes:
+    - ${HOME}/projects:/projects
+
+  idx1-2: 
+    image: local/splunk:8.2.6
+    build:
+      context: ../.images/splunk
+      network: host
+      args:
+        VERSION: 8.2.6
+        TOOL: splunk
+    container_name: idx1-2
+    hostname: idx1-2
+    environment:
+      LANG: en_US.utf8
+      SPLUNK_PASSWORD: password
+      SPLUNK_DISABLE_POPUPS: "true"
+      SPLUNK_START_ARGS: --accept-license
+      SPLUNK_ROLE: splunk_indexer
+      SPLUNK_CLUSTER_MASTER_URL: cm1
+      SPLUNK_IDXC_PASS4SYMMKEY: cm_and_indexer_comms
+    volumes:
+    - ${HOME}/projects:/projects