docker-splunk icon indicating copy to clipboard operation
docker-splunk copied to clipboard
verified publisher icon splunk

Workarounds to run 9.4 with KVStore on Docker for Mac running on Apple Silicon (M1-M4)

Open outcoldman opened this issue 10 months ago • 4 comments

Splunk 9.4 uses mongod 7 which does not run under Rosetta2 (see https://www.mongodb.com/community/forums/t/mongo-5-on-apple-m1-laptops-via-docker/136506 )

So by hacking around I kind of made it work by switching back to mongod-4.2

  1. Removed mongod link to mongo-7.0 (file /opt/splunk/bin/mongod )

  2. Instead wrote a bash script that will pass everything to mongod-4.2 (see below)

  3. In bash script get rid of one parameter that is not supported by mongod-4.2 --setParameter=minSnapshotHistoryWindowInSeconds=5

  4. Made bash script executable. (chmod +x /opt/splunk/bin/mongod)

Script:

#!/bin/bash

# Define an array to store filtered arguments
filtered_args=()

# Iterate over all input arguments
while [[ $# -gt 0 ]]; do
    case "$1" in
        --setParameter=minSnapshotHistoryWindowInSeconds=5)
            shift  # Skip this parameter
            ;;
        *)
            filtered_args+=("$1")
            shift
            ;;
    esac
done

# Execute /opt/splunk/bin/mongod-4.2 with the filtered arguments
exec /opt/splunk/bin/mongod-4.2 "${filtered_args[@]}"

It seems like that made it to work.

Curious if there are any better workarounds or better compatibility? I know it is not very supported scenario running Splunk under rosetta, but a LOT of developers use it in that configuration.

outcoldman avatar Mar 16 '25 18:03 outcoldman

Actually got this error after

KV Store changed status to failed. Exception while calculating common mongo version. Error: MongoStorageProviderException: [getMongodRunnerVersionFromServerVersion] Unexpected server version detected: 4.4.29.

outcoldman avatar Mar 16 '25 19:03 outcoldman

Ok, tried one more time. This workaround works with mongod-4.2, not anything else.

outcoldman avatar Mar 16 '25 23:03 outcoldman

Any update on this one?

tmoser79 avatar Apr 18 '25 10:04 tmoser79

I wanted to try this approach with Splunk 10 as I really need to test some apps for compatibility with Splunk 10. Unfortunately the problem appears to have become even worse as the mongo-4.2 binary is linked to some libraries that aren't present on the Splunk 10 image.

I installed them and symlinked them despite them being the wrong version. Pretty risky but hey, KV store at least appear to work now.

Dockerfile here. Thanks @outcoldman !

cschmidt0121 avatar Sep 17 '25 16:09 cschmidt0121