Merge pull request #399 from splunk/develop

Release/8.0.5

CODEOWNERS

@@ -7,10 +7,10 @@
 
 # Default owners for everything in docker-splunk:
 # *       @splunk/if-01
-*       @nwang92 @alishamayor @arctan5x @lephino @jrigassio-splunk @jmeixensperger @hendolim @jonathan-vega-splunk @bb03
+*       @nwang92 @alishamayor @arctan5x @jrigassio-splunk @jmeixensperger @hendolim @bb03 @sarahotis @martinluo22 @Devmalion
 
 # Docs-only pull requests:
 /docs/  @alishamayor @nwang92 @bb03
 
 # Release changelog
-docs/CHANGELOG.md  @nwang92 @alishamayor @arctan5x @lephino @jrigassio-splunk @jmeixensperger @hendolim @jonathan-vega-splunk @bb03
+docs/CHANGELOG.md  @nwang92 @alishamayor @arctan5x @jrigassio-splunk @jmeixensperger @hendolim @bb03 @sarahotis @martinluo22 @Devmalion

Makefile

@@ -7,8 +7,8 @@ SPLUNK_ANSIBLE_BRANCH ?= develop
 SPLUNK_COMPOSE ?= cluster_absolute_unit.yaml
 # Set Splunk version/build parameters here to define downstream URLs and file names
 SPLUNK_PRODUCT := splunk
-SPLUNK_VERSION := 8.0.4.1
-SPLUNK_BUILD := ab7a85abaa98
+SPLUNK_VERSION := 8.0.5
+SPLUNK_BUILD := a1a6394cc5ae
 ifeq ($(shell arch), s390x)
 	SPLUNK_ARCH = s390x
 else
@@ -25,6 +25,8 @@ SPLUNK_WIN_FILENAME ?= splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-x64-release.msi
 SPLUNK_WIN_BUILD_URL ?= https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/windows/${SPLUNK_WIN_FILENAME}
 UF_WIN_FILENAME ?= splunkforwarder-${SPLUNK_VERSION}-${SPLUNK_BUILD}-x64-release.msi
 UF_WIN_BUILD_URL ?= https://download.splunk.com/products/universalforwarder/releases/${SPLUNK_VERSION}/windows/${UF_WIN_FILENAME}
+# Splunk Cloud SDK binary
+SCLOUD_URL ?= https://github.com/splunk/splunk-cloud-sdk-go/releases/download/v1.7.0/scloud_v4.0.0_linux_amd64.tar.gz
 
 # Security Scanner Variables
 SCANNER_DATE := `date +%Y-%m-%d`
@@ -59,16 +61,16 @@ ansible:
 base: base-debian-9 base-debian-10 base-centos-7 base-redhat-8 base-windows-2016
 
 base-debian-10:
-	docker build ${DOCKER_BUILD_FLAGS} -t base-debian-10:${IMAGE_VERSION} ./base/debian-10
+	docker build ${DOCKER_BUILD_FLAGS} --build-arg SCLOUD_URL=${SCLOUD_URL} -t base-debian-10:${IMAGE_VERSION} ./base/debian-10
 
 base-debian-9:
-	docker build ${DOCKER_BUILD_FLAGS} -t base-debian-9:${IMAGE_VERSION} ./base/debian-9
+	docker build ${DOCKER_BUILD_FLAGS} --build-arg SCLOUD_URL=${SCLOUD_URL} -t base-debian-9:${IMAGE_VERSION} ./base/debian-9
 
 base-centos-7:
-	docker build ${DOCKER_BUILD_FLAGS} -t base-centos-7:${IMAGE_VERSION} ./base/centos-7
+	docker build ${DOCKER_BUILD_FLAGS} --build-arg SCLOUD_URL=${SCLOUD_URL} -t base-centos-7:${IMAGE_VERSION} ./base/centos-7
 
 base-redhat-8:
-	docker build ${DOCKER_BUILD_FLAGS} --label version=${SPLUNK_VERSION} -t base-redhat-8:${IMAGE_VERSION} ./base/redhat-8
+	docker build ${DOCKER_BUILD_FLAGS} --build-arg SCLOUD_URL=${SCLOUD_URL} --label version=${SPLUNK_VERSION} -t base-redhat-8:${IMAGE_VERSION} ./base/redhat-8
 
 base-windows-2016:
 	docker build ${DOCKER_BUILD_FLAGS} -t base-windows-2016:${IMAGE_VERSION} ./base/windows-2016

base/centos-7/Dockerfile

@@ -15,5 +15,8 @@
 FROM centos:7
 LABEL maintainer="support@splunk.com"
 
+ARG SCLOUD_URL
+ENV SCLOUD_URL ${SCLOUD_URL}
+
 COPY install.sh /install.sh
 RUN /install.sh && rm -rf /install.sh

base/centos-7/install.sh

@@ -19,7 +19,12 @@ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 export LANG=en_US.utf8
 
 yum -y update && yum -y install wget sudo epel-release
-yum -y install busybox ansible python-requests
+yum -y install busybox ansible python-requests python-jmespath
+
+# Install scloud
+wget -O /usr/bin/scloud.tar.gz ${SCLOUD_URL}
+tar -xf /usr/bin/scloud.tar.gz -C /usr/bin/
+rm /usr/bin/scloud.tar.gz
 
 cd /bin
 ln -s busybox killall

base/debian-10/Dockerfile

@@ -15,6 +15,9 @@
 FROM debian:buster-slim
 LABEL maintainer="support@splunk.com"
 
+ARG SCLOUD_URL
+ENV SCLOUD_URL ${SCLOUD_URL}
+
 ENV DEBIAN_FRONTEND=noninteractive
 
 COPY install.sh /install.sh

base/debian-10/install.sh

@@ -33,10 +33,15 @@ apt update
 # put back tools for customer support
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc libpython-dev libffi-dev libssl-dev
 apt-get install -y --no-install-recommends python-pip python-setuptools python-requests python-yaml
-pip --no-cache-dir install ansible
+pip --no-cache-dir install ansible jmespath
 apt-get remove -y gcc libffi-dev libssl-dev libpython-dev
 apt-get autoremove -y
 
+# Install scloud
+wget -O /usr/bin/scloud.tar.gz ${SCLOUD_URL}
+tar -xf /usr/bin/scloud.tar.gz -C /usr/bin/
+rm /usr/bin/scloud.tar.gz
+
 cd /bin
 ln -s busybox killall
 ln -s busybox netstat

base/debian-9/Dockerfile

@@ -15,6 +15,9 @@
 FROM debian:stretch-slim
 LABEL maintainer="support@splunk.com"
 
+ARG SCLOUD_URL
+ENV SCLOUD_URL ${SCLOUD_URL}
+
 ENV DEBIAN_FRONTEND=noninteractive
 
 COPY install.sh /install.sh

base/debian-9/install.sh

@@ -35,7 +35,12 @@ apt-get update
 # put back tools for customer support
 apt-cache show ansible
 apt-get install -y --no-install-recommends ansible curl sudo libgssapi-krb5-2 busybox procps acl
-apt-get install -y --no-install-recommends python-requests
+apt-get install -y --no-install-recommends python-requests python-jmespath
+
+# Install scloud
+wget -O /usr/bin/scloud.tar.gz ${SCLOUD_URL}
+tar -xf /usr/bin/scloud.tar.gz -C /usr/bin/
+rm /usr/bin/scloud.tar.gz
 
 cd /bin
 ln -s busybox diff

base/redhat-8/Dockerfile

@@ -24,6 +24,9 @@ LABEL name="splunk" \
       summary="UBI 8 Docker image of Splunk Enterprise" \
       description="Splunk Enterprise is a platform for operational intelligence. Our software lets you collect, analyze, and act upon the untapped value of big data that your technology infrastructure, security systems, and business applications generate. It gives you insights to drive operational performance and business results."
 
+ARG SCLOUD_URL
+ENV SCLOUD_URL ${SCLOUD_URL}
+
 COPY install.sh /install.sh
 
 RUN mkdir /licenses \

base/redhat-8/install.sh

@@ -34,7 +34,7 @@ wget -O /bin/busybox https://busybox.net/downloads/binaries/1.28.1-defconfig-mul
 chmod +x /bin/busybox
 microdnf -y --nodocs update gnutls kernel-headers
 microdnf -y --nodocs install python2-pip python2-devel redhat-rpm-config gcc libffi-devel openssl-devel
-pip2 --no-cache-dir install requests ansible
+pip2 --no-cache-dir install requests ansible jmespath
 microdnf -y remove gcc openssl-devel redhat-rpm-config python2-devel device-mapper-libs device-mapper trousers systemd systemd-pam \
                    dwz dbus dbus-common dbus-daemon dbus-tools dbus-libs go-srpm-macros iptables-libs annobin cryptsetup-libs \
                    ocaml-srpm-macros openblas-srpm-macros qt5-srpm-macros perl-srpm-macros rust-srpm-macros ghc-srpm-macros \
@@ -44,6 +44,11 @@ microdnf -y remove gcc openssl-devel redhat-rpm-config python2-devel device-mapp
                    libfdisk libpcap libseccomp libselinux-devel libutempter binutils libxcrypt-devel cpp glibc-devel glibc-headers \
                    krb5-devel libkadm5 platform-python-pip
 
+# Install scloud
+wget -O /usr/bin/scloud.tar.gz ${SCLOUD_URL}
+tar -xf /usr/bin/scloud.tar.gz -C /usr/bin/
+rm /usr/bin/scloud.tar.gz
+
 cd /bin
 ln -s python2 python || true
 ln -s busybox diff || true

docs/ADVANCED.md

@@ -17,6 +17,7 @@ Let's dive into the nitty-gritty of how to tweak the setup of your containerized
 * [Create custom configs](#create-custom-configs)
 * [Enable SmartStore](#enable-smartstore)
     * [Configure cache manager](#configure-cache-manager)
+* [Forward to Data Stream Processor](#forward-to-data-stream-processor)
 * [Use a deployment server](#use-a-deployment-server)
 * [Deploy distributed topology](#deploy-distributed-topology)
 * [Enable SSL internal communication](#enable-ssl-internal-communication)
@@ -51,19 +52,39 @@ When starting the docker container, the `default.yml` can be mounted in `/tmp/de
 
 Environment variables specified at runtime will take precedence over anything defined in `default.yml`.
 ```bash
-# Volume-mounting option
+# Volume-mounting option using --volumes/-v flag
 $ docker run -d -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" \
              -e "SPLUNK_START_ARGS=--accept-license" \
-             -v default.yml:/tmp/defaults/default.yml \
+             -v "$(pwd)/default.yml:/tmp/defaults/default.yml" \
+             splunk/splunk:latest
+
+# Volume-mounting option using --mount flag
+$ docker run -d -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" \
+             -e "SPLUNK_START_ARGS=--accept-license" \
+             --mount type=bind,source="$(pwd)"/default.yml,target=/tmp/defaults/default.yml
              splunk/splunk:latest
 
 # URL option
-$ docker run -d -p 8000:8000 -v -e "SPLUNK_PASSWORD=<password>" \
+$ docker run -d -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" \
              -e "SPLUNK_START_ARGS=--accept-license" \
              -e "SPLUNK_DEFAULTS_URL=http://company.net/path/to/default.yml" \
              splunk/splunk:latest
 ```
 
+Additionally, note that you do not need to supply the full `default.yml` if you only choose to modify a portion of how Splunk Enterprise is configured upon boot. For instance, if you wish to take advantage of the ability to write conf files through the `splunk.conf` key, the full `default.yml` passed in will simply look like the following:
+```
+splunk:
+  conf:
+    - key: indexes
+      value:
+        directory: /opt/splunk/etc/system/local
+        content:
+          test:
+            homePath: $SPLUNK_DB/test/db
+            coldPath: $SPLUNK_DB/test/colddb
+            thawedPath: $SPLUNK_DB/test/thaweddb
+```
+
 ### Configuration specs for default.yml
 
 #### Global variables
@@ -305,6 +326,9 @@ splunk:
   ...
 ```
 
+## Forward to Data Stream Processor
+See the [DSP integration document](advanced/DSP.md) to learn how to directly send data from a forwarder to [Splunk Data Stream Processor](https://www.splunk.com/en_us/software/stream-processing.html).
+
 ## Use a deployment server
 Deployment servers can be used to manage otherwise unclustered or disjoint Splunk instances. A primary use-case would be to stand up a deployment server to manage app or configuration distribution to a fleet of 100 universal forwarders.
 

docs/CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Navigation
 
+* [8.0.5](#805)
 * [8.0.4.1](#8041)
 * [8.0.4](#804)
 * [8.0.3](#803)
@@ -33,6 +34,24 @@
 
 ---
 
+## 8.0.5
+
+#### What's New?
+* Releasing new images to support Splunk Enterprise maintenance patch.
+
+#### docker-splunk changes:
+* Bumping Splunk version. For details, see [Fixed issues for 8.0.5](https://docs.splunk.com/Documentation/Splunk/8.0.5/ReleaseNotes/Fixedissues)
+* Support for Splunk Cloud
+* Added tests and documentation for new features
+
+#### splunk-ansible changes:
+* Support for Splunk Enterprise Security (ES)
+* Added a role for the Distributed Monitoring Console (DMC)
+* Support for forwarding from the Splunk Data Stream Processor (DSP)
+* `splunk.license_master_url` now allows scheme and port to be set along with the protocol
+
+---
+
 ## 8.0.4.1
 
 #### What's New?

docs/advanced/APP_INSTALL.md

@@ -16,15 +16,19 @@ App installation can be done a variety of ways: either through a file/directory
 If you have a local directory that follows the proper Splunk apps model, you can mount this entire path to the container at runtime.
 
 For instance, take the following app `splunk_app_example`:
-```
+```bash
 $ find . -type f
 ./splunk_app_example/default/app.conf
 ./splunk_app_example/metadata/default.meta
 ```
 
 We can bind-mount this upon container start and use it as a regular Splunk app:
-```
-$ docker run -it -v ./splunk_app_example:/opt/splunk/etc/apps/splunk_app_example/ --name so1 --hostname so1 -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" -e "SPLUNK_START_ARGS=--accept-license" -it splunk/splunk:latest
+```bash
+# Volume-mounting option using --volumes/-v flag
+$ docker run -it -v "$(pwd)/splunk_app_example:/opt/splunk/etc/apps/splunk_app_example/" --name so1 --hostname so1 -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" -e "SPLUNK_START_ARGS=--accept-license" -it splunk/splunk:latest
+
+# Volume-mounting option using --mount flag
+$ docker run -it --mount type=bind,source="$(pwd)"/splunk_app_example,target=/opt/splunk/etc/apps/splunk_app_example/ --name so1 --hostname so1 -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" -e "SPLUNK_START_ARGS=--accept-license" -it splunk/splunk:latest
 ```
 
 You should be able to view the `splunk_app_example` in SplunkWeb after the container successfully finished provisioning.

docs/advanced/DSP.md

@@ -0,0 +1,110 @@
+## Data Stream Processor
+[Splunk Data Stream Processor](https://www.splunk.com/en_us/software/stream-processing.html) is a separate service that can be used to collect and facilitate real-time stream processing. For more information, visit the [Splunk Data Stream Processor documentation](https://docs.splunk.com/Documentation/DSP).
+
+The Splunk Docker image supports native integration with DSP through forwarders. Both universal and heavy forwarders can be automatically provisioned to send traffic to DSP, wherein custom pipelines can be configured to redirect and reformat the data as desired.
+
+## Navigation
+
+* [Forwarding traffic](#forwarding-traffic)
+  * [User-generated certificates](#user-generated-certificates)
+  * [Auto-generated certificates](#auto-generated-certificates)
+* [Defining pipelines ](#defining-pipelines)
+
+## Forwarding Traffic
+Splunk DSP pipelines can be used to [process forwarder data](https://docs.splunk.com/Documentation/DSP/1.1.0/User/SenddataUF), either from a `splunk_universal_forwarder` or a `splunk_heavy_forwarder` role.
+
+You will need [`scloud`](https://github.com/splunk/splunk-cloud-sdk-go) before proceeding.
+
+### User-generated certificates
+In order to get data into DSP, you must generate a client certificate and register it to the DSP forwarder service. Instructions for this can be found [here](https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder), or as follows:
+```bash
+$ openssl genrsa -out my_forwarder.key 2048
+$ openssl req -new -key "my_forwarder.key" -out "my_forwarder.csr" -subj "/C=US/ST=CA/O=my_organization/CN=my_forwarder/emailAddress=email@example.com"
+$ openssl x509 -req -days 730 -in "my_forwarder.csr" -signkey "my_forwarder.key" -out "my_forwarder.pem" -sha256
+$ cat my_forwarder.pem my_forwarder.key > my_forwarder-keys.pem
+$ scloud forwarders add-certificate --pem "$(<my_forwarder.pem)" 
+```
+
+Once you have the resulting `my_forwarder-keys.pem`, this can be mounted into the container and used immediately. Refer to the following `docker-compose.yml` example below:
+```yaml
+version: "3.6"
+
+services:
+  hf1:
+    image: splunk/splunk:8.0.5
+    hostname: hf1
+    environment:
+      - SPLUNK_ROLE=splunk_heavy_forwarder
+      - SPLUNK_START_ARGS=--accept-license
+      - SPLUNK_PASSWORD=helloworld
+      - SPLUNK_DSP_ENABLE=true
+      - SPLUNK_DSP_CERT=/opt/splunk/etc/auth/mycerts/my_forwarder-keys.pem
+      - SPLUNK_DSP_SERVER=dsp-master-node.hostname:30001
+    ports:
+      - 8000
+      - 8089
+    volumes:
+      - ./my_forwarder-keys.pem:/opt/splunk/etc/auth/mycerts/my_forwarder-keys.pem
+```
+
+Alternatively, this can also be done using the `default.yml` as so:
+```yaml
+---
+splunk:
+  dsp:
+    enable: True
+    server: dsp-master-node.hostname:30001
+    cert: /opt/splunk/etc/auth/mycerts/my_forwarder-keys.pem
+  ...
+```
+
+### Auto-generated Certificates
+If you're just getting your feet wet with DSP and these Docker images, it can be helpful to rely on the Docker image to generate the certificates for you. Using `SPLUNK_DSP_CERT=auto` or `splunk.dsp.cert: auto` will let the container to create the certificate and print it out through the container's logs for you to register yourself:
+```bash
+$ scloud forwarders add-certificate --pem "<copied from cert printed to container stdout>" 
+```
+
+## Defining Pipelines
+In addition to native support for sending data, the Docker image is also capable of configuring the pipeline in DSP which can be useful in declaratively defining the full end-to-end parsing and ingest 
+
+You will need [`scloud`](https://github.com/splunk/splunk-cloud-sdk-go) before proceeding. In addition, you'll need an `scloud.toml` and `.scloud_context` with permissions enabled to read/write to your DSP installation.
+
+Pipeline specifications are defined using [SPL2](https://docs.splunk.com/Documentation/DSP/1.1.0/User/SPL2). Refer to the following `docker-compose.yml` example below:
+```yaml
+version: "3.6"
+
+services:
+  hf1:
+    image: splunk/splunk:8.0.5
+    hostname: hf1
+    environment:
+      - SPLUNK_ROLE=splunk_heavy_forwarder
+      - SPLUNK_START_ARGS=--accept-license
+      - SPLUNK_PASSWORD=helloworld
+      - SPLUNK_DSP_ENABLE=true
+      - SPLUNK_DSP_CERT=auto
+      - SPLUNK_DSP_SERVER=dsp-master-node.hostname:30001
+      - SPLUNK_DSP_PIPELINE_NAME=ingest-example
+      - SPLUNK_DSP_PIPELINE_DESC="Demo using forwarders as source"
+      - SPLUNK_DSP_PIPELINE_SPEC='| from receive_from_forwarders("forwarders:all") | into index("", "main");'
+    ports:
+      - 8000
+      - 8089
+    volumes:
+      - ./.scloud.toml:/home/splunk/.scloud.toml
+      - ./.scloud_context:/home/splunk/.scloud_context
+```
+
+Alternatively, this can also be done using the `default.yml` as so:
+```yaml
+---
+splunk:
+  dsp:
+    enable: True
+    server: dsp-master-node.hostname:30001
+    cert: auto
+    pipeline_name: ingest-example
+    pipeline_desc: "Demo using forwarders as source"
+    pipeline_spec: '| from receive_from_forwarders("forwarders:all") | into index("", "main");'
+  ...
+```