search

splunk / docker-splunk

Splunk Docker GitHub Repository
450 stars 245 forks source link

Splunk 9.1.3 has a regression on the `SPLUNKD_SSL_ENABLE` variable #639

Closed Amndeep7 closed 1 month ago

Amndeep7 commented 5 months ago

Running docker run -it --rm -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=Valid_password!" -e "SPLUNKD_SSL_ENABLE=false" -e GITHUB_ACTIONS=true -e CI=true -p 8089:8089 -p 8088:8088 -v "/$(pwd)/test/configs/splunk/server.conf":"/etc/system/local/server.conf" splunk/splunk:9.1.2 works w/r to spinning up a usable splunk instance.

Github actions run that contains the ansible output: https://github.com/mitre/heimdall2/actions/runs/7718282174/job/21039190919?pr=5410

var/log/splunkd.log output from a locally spun up container: https://gist.github.com/Amndeep7/9d65c8dedd0739cc82bc682295bcc6f0

Running docker run -it --rm -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=Valid_password!" -e "SPLUNKD_SSL_ENABLE=false" -e GITHUB_ACTIONS=true -e CI=true -p 8089:8089 -p 8088:8088 -v "/$(pwd)/test/configs/splunk/server.conf":"/etc/system/local/server.conf" splunk/splunk:latest causes the container to eventually timeout in an unhealthy state.

Github actions run that contains the ansible output: https://github.com/mitre/heimdall2/actions/runs/7716678293/job/21034050807?pr=5410

var/log/splunkd.log output from a locally spun up container: https://gist.github.com/Amndeep7/539aec96e2c1a02a40a9c863986f41bd

The server.conf file is extremely minimal.

test/configs/splunk/server.conf ``` $ cat test/configs/splunk/server.conf # List of the HTTP Origins for which to return Access-Control-Allow-* (CORS) # headers. # These headers tell browsers that web applications are trusted at those sites # to make requests to the REST interface. # The origin is passed as a URL without a path component (for example # "https://app.example.com:8000"). # This setting can take a list of acceptable origins, separated # by spaces and/or commas. # Each origin can also contain wildcards for any part. Examples: # *://app.example.com:* (either HTTP or HTTPS on any port) # https://*.example.com (any host under example.com, including # example.com itself) # An address can be prefixed with a '!' to negate the match, with # the first matching origin taking precedence. For example, # "!*://evil.example.com:* *://*.example.com:*" to not avoid # matching one host in a domain # A single "*" can also be used to match all origins # No default. [httpServer] crossOriginSharingPolicy = * ```
yarick commented 5 months ago

Could this be related to the removal of Python2 support?

Amndeep7 commented 5 months ago

Looking at the patch notes, it might also have been something that accidentally broke when work was done with the HEC envvars.

Amndeep7 commented 1 month ago

Retrying on the latest splunk/splunk image, which I believe is 9.2.1, has worked. I believe this regression has been resolved, so I am closing this issue.