Splunk se youn nan plizyè nan koleksyon boutèy demi lit komèsyal ki pi rekonètr ak pwodwi analiz. Menm kounye a, lè lavant yo pa fè ankò nan Larisi, sa a se pa yon rezon ki fè yo pa ekri enstriksyon / kijan pou pwodwi sa a.
Objektif Travay la: kolekte mòso sistèm nan nœuds docker nan Splunk san yo pa chanje konfigirasyon machin lame a
Mwen ta renmen kòmanse ak apwòch ofisyèl la, ki sanble yon ti jan etranj lè w ap itilize Docker.
Kisa nou genyen:
1. Pullim imaj
$ docker pull splunk/universalforwarder:latest2. Kòmanse veso a ak paramèt ki nesesè yo
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Nou antre nan veso a
docker exec -it <container-id> /bin/bashApre sa, nou mande pou nou ale nan yon adrès li te ye nan dokiman an.
Epi konfigirasyon veso a apre li kòmanse:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Tann. Kisa?
Men, sipriz yo pa fini la. Si ou kouri veso ki soti nan imaj ofisyèl la nan mòd entèaktif, ou pral wè bagay sa yo:
Yon ti desepsyon
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ну и так далее...
Gwo. Imaj la pa menm genyen yon zafè. Sa vle di, chak fwa ou kòmanse li pral pran tan telechaje achiv la ak binè, depale ak konfigirasyon.
E docker-way ak tout sa?
Non mèsi. Nou pral pran yon lòt wout. E si nou fè tout operasyon sa yo nan etap asanble a? Lè sa a, ann ale!
Pou pa retade twò lontan, mwen pral montre w imaj final la touswit:
dockerfile
# Тут у кого какие предпочтения
FROM centos:7
# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release
&& yum install -y wget expect jq
# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Se konsa, sa ki genyen nan
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofNan premye kòmansman an, Splunk mande w bay li yon login/modpas, MEN done sa yo itilize. sèlman pou egzekite kòmandman administratif pou enstalasyon patikilye sa a, sa vle di andedan veso a. Nan ka nou an, nou jis vle lanse veso a pou ke tout bagay mache ak mòso bwa yo koule tankou yon rivyè. Natirèlman, sa a se hardcode, men mwen pa jwenn okenn lòt fason.
Pli lwen dapre script la se egzekite
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl — Sa a se yon dosye kalifikasyon pou Splunk Universal Forwarder, ki ka telechaje nan koòdone entènèt la.
Ki kote pou klike pou telechaje (nan foto)
Sa a se yon achiv regilye ki ka depake. Anndan yo se sètifika ak yon modpas pou konekte ak SplunkCloud nou an ak outputs.conf ak yon lis enstans opinyon nou yo. Fichye sa a pral enpòtan jiskaske ou re-enstale enstalasyon Splunk ou oswa ajoute yon nœud D 'si enstalasyon an se sou site. Se poutèt sa, pa gen anyen mal ak ajoute li andedan veso a.
Ak dènye bagay la se rekòmanse. Wi, pou aplike chanjman yo, ou bezwen rekòmanse li.
Nan nou entrées.conf nou ajoute mòso bwa yo ke nou vle voye bay Splunk. Li pa nesesè pou ajoute fichye sa a nan imaj la si, pou egzanp, ou distribye konfigirasyon atravè mannken. Bagay la sèlman se ke Forwarder wè konfigirasyon yo lè demon an kòmanse, otreman li pral bezwen ./splunk rekòmanse.
Ki kalite docker stats scripts yo ye? Gen yon ansyen solisyon sou Github soti nan , Scripts yo te pran soti nan la ak modifye pou travay ak vèsyon aktyèl Docker (ce-17.*) ak Splunk (7.*).
Avèk done yo jwenn, ou ka bati sa ki annapre yo
tablodbò: (yon koup foto)
Kòd sous la pou tirè se nan lyen ki bay nan fen atik la. Tanpri sonje ke gen 2 jaden chwazi: 1 - seleksyon endèks (recherche pa mask), seleksyon lame/resipyan. Ou pral gen anpil chans bezwen mete ajou mask la endèks, tou depann de non ou itilize yo.
An konklizyon, mwen ta renmen atire atansyon ou sou fonksyon an kòmanse () в
antre.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}Nan ka mwen an, pou chak anviwònman ak chak antite endividyèl, kit se yon aplikasyon nan yon veso oswa yon machin lame, nou itilize yon endèks separe. Nan fason sa a, vitès rechèch la pa pral soufri lè gen yon akimilasyon enpòtan nan done. Yo itilize yon règ senp pou nonmen endèks yo: _. Se poutèt sa, nan lòd pou veso a yo dwe inivèsèl, anvan lanse demon nan tèt li, nou ranplase SED-yèm joker nan non anviwònman an. Se varyab non anviwònman an pase nan varyab anviwònman an. Son komik.
Li se tou vo sonje ke pou kèk rezon Splunk pa afekte pa prezans nan paramèt docker la. hostname. Li pral toujou fè tèt di voye mòso bwa ak idantite veso li a nan jaden an lame. Kòm yon solisyon, ou ka monte / etc / hostname soti nan machin nan lame ak nan demaraj fè ranplasman menm jan ak non endèks.
Egzanp docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roTotal
Wi, petèt solisyon an pa ideyal epi sètènman pa inivèsèl pou tout moun, paske gen anpil "difisil". Men, baze sou li, tout moun ka bati pwòp imaj yo epi mete l nan atifisyèl prive yo, si, jan sa rive, ou bezwen Splunk Forwarder nan Docker.
Lyen:
Sous: www.habr.com