使用 Alpine 基础镜像创建 Splunk 通用转发器

Creating Splunk universal forwarder using Alpine base image

我正在尝试使用 alpine:3.8 基本映像创建 Splunk 通用转发器映像。

FROM alpine:3.8

ENV SPLUNK_PRODUCT universalforwarder
ENV SPLUNK_VERSION 6.3.1
ENV SPLUNK_BUILD f3e41e4b37b2
ENV SPLUNK_FILENAME splunkforwarder-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-x86_64.tgz
ENV SPLUNK_SERVER_HOST testapp:9997
ENV SPLUNK_HOME /opt/splunk
ENV SPLUNK_GROUP splunk
ENV SPLUNK_USER splunk
ENV SPLUNK_BACKUP_DEFAULT_ETC /var/opt/splunk
ENV SPLUNK_INDEX test
ENV FORWARD_HOSTNAME InstanceId

# Here we install GNU libc (aka glibc) and set C.UTF-8 locale as default.
RUN apk --no-cache add ca-certificates wget \
    && wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub \
    && wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk \
    && apk add glibc-2.28-r0.apk \
    && rm -rf /var/lib/apt/lists/*

# add splunk:splunk user
RUN addgroup --system ${SPLUNK_GROUP} \
    && adduser --system --ingroup ${SPLUNK_GROUP} ${SPLUNK_USER}

# Download official Splunk release, verify checksum and unzip in /opt/splunk
# Also backup etc folder, so it will be later copied to the linked volume
RUN apk add sudo curl\
    && mkdir -p ${SPLUNK_HOME} \
    && curl -o /tmp/${SPLUNK_FILENAME} https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILENAME} \
    && curl -o /tmp/${SPLUNK_FILENAME}.md5 https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILENAME}.md5 \
    && tar xzf /tmp/${SPLUNK_FILENAME} --strip 1 -C ${SPLUNK_HOME} \
    && rm /tmp/${SPLUNK_FILENAME} \
    && rm /tmp/${SPLUNK_FILENAME}.md5 \
    && mkdir -p /var/opt/splunk \
    && cp -R ${SPLUNK_HOME}/etc ${SPLUNK_BACKUP_DEFAULT_ETC} \
    && rm -fR ${SPLUNK_HOME}/etc \
    && chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_HOME} \
    && chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_BACKUP_DEFAULT_ETC} \
    && rm -rf /var/lib/apt/lists/*

COPY ./config /tmp/splunk

COPY patch-entrypoint.sh /sbin/entrypoint.sh
RUN chmod +x /sbin/entrypoint.sh

# Ports Splunk Daemon, Network Input, HTTP Event Collector
EXPOSE 8089/tcp 1514 8088/tcp

WORKDIR /opt/splunk

# Configurations folder, var folder for everyting (indexes, logs, kvstore)
VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ]

ENTRYPOINT ["/sbin/entrypoint.sh"]
CMD ["start-service"]

现在我面临着几个问题:

  1. 当我 运行 /opt/splunkforwarder/bin/splunk start --accept-license 我得到 /opt/splunkforwarder/bin/splunk: not found.

我正在使用自定义 output.conf 文件。它在配置文件夹中。

[tcpout]
defaultGroup = abc
disabled = false

[tcpout:abc]
server = _OUTPUT_SERVERS_
autoLB = true
compressed = false
useACK = true
sendCookedData = true

entrypoint.sh 是我用来从 output.config 替换环境变量并重新启动 Splunk 的脚本,但再次重新启动不起作用。我该如何解决这个问题?

AFAIK,alpine:3.8 不附带 Splunk 需要的 glibc。这可能会导致问题吗?您是否尝试过使用不同的基本图像?