search

splunk / splunk-ansible

Ansible playbooks for configuring and managing Splunk Enterprise and Universal Forwarder deployments
357 stars 186 forks source link

Ansible breaks part of functionality on 9.2.x, if it is not license manager. #821

Open yaroslav-nakonechnikov opened 7 months ago

yaroslav-nakonechnikov commented 7 months ago

https://github.com/splunk/splunk-ansible/blob/9.2.1/roles/splunk_common/tasks/enable_forwarding.yml#L57 this breaks functionality of splunk deployment server.

using defaults.yml file doesn't help. I suggest remove this block, or add new variable which will help to set it up.

splunk support ticket: https://splunk.my.site.com/customer/s/case/5005a00002xKTVtAAO/docker-splunk-and-deployment-server

yaroslav-nakonechnikov commented 5 months ago

atm workaround looks like:

- name: fix outputs.conf
  lineinfile:
    path: /opt/splunk/etc/system/local/outputs.conf
    regexp: '^(.*)index =(.*)$'
    line: 'index = True'
    backrefs: yes
  notify:
    - Restart the splunkd service

and setting SPLUNK_ANSIBLE_POST_TASKS = "file:///mnt/path/to/post_tasks.yml"

jmeixensperger commented 5 months ago

Can you elaborate on what functionality is broken? Apologies if it's described in the support ticket--I do not have access to view its details.

All deployment servers that I create on 9.2.1 are able to successfully distribute apps to other instances.

yaroslav-nakonechnikov commented 5 months ago

@jmeixensperger https://some_addess/en-US/manager/system/deploymentserver is always empty, for example, with blank screen

jmeixensperger commented 5 months ago

@yaroslav-nakonechnikov I am unable to reproduce using Splunk 9.2.1 and the latest commits of splunk-ansible. Can you try this out yourself and let me know if you are still seeing the issue?

Here's what I did:

  1. Pull the latest release/develop commit of splunk-ansible in docker-splunk and run: make splunk-redhat-8
  2. Setup a docker-compose.yml using the docker-splunk example here: https://github.com/splunk/docker-splunk/blob/develop/docs/advanced/DEPLOYMENT_SERVER.md#create-standalone-and-deployment-server. Copy the ports section to expose the web port for the deployment server as well.
  3. Run docker-compose with a valid SPLUNK_PASSWORD and set SPLUNK_IMAGE to the new image that was built in step 1.
  4. Wait for the containers to provision. Find the deployment server exposed port and navigate to the url that you shared above.

I also verified that local indexing was indeed disabled through the ansible provisioning. The playbook execution contains:

2024-06-21 10:52:32 TASK [splunk_common : Disable indexing on the current node] ********************
2024-06-21 10:52:32 changed: [localhost]

And the /opt/splunk/etc/system/local/outputs.conf file contains:

[indexAndForward]
index = false
yaroslav-nakonechnikov commented 5 months ago

and it should be with value true.

jmeixensperger commented 5 months ago

We also patched the 9.2.1 docker-splunk image a couple days ago with the splunk-ansible changes that I mentioned. You can try that out to verify if the blank screen issue is still occurring. Let me know if there are more specific steps required to reproduce this issue beyond the example that I shared above.

jmeixensperger commented 5 months ago

@yaroslav-nakonechnikov can you also clarify what you mean by a "blank screen" in case my understanding is wrong? A screenshot example would also be helpful.

yaroslav-nakonechnikov commented 4 months ago

@jmeixensperger

image

yaroslav-nakonechnikov commented 3 months ago

is https://github.com/splunk/splunk-ansible/pull/855 already released in some container on docker.hub?