docker-splunk icon indicating copy to clipboard operation
docker-splunk copied to clipboard
verified publisher icon splunk

Do not re-install splunk when restarting the container

Open Res260 opened this issue 10 months ago • 3 comments

Is there an option to prevent the container from re-running the ansible playbook that reinstalls everything when the container starts for the second time?

Context: We use https://github.com/splunk/contentctl to do detection engineering in splunk, and we test the rules locally on our machine, and we spin up a splunk instance which takes a little less than 20 minutes to fully install everything needed. Once installed, we don't need to re-install everything to test a new set of rules. But every time we shut down the container, we need to wait 20 minutes just to re-install everything for no benefit

Res260 avatar Apr 04 '25 15:04 Res260

AFAIK, there is no explicit option to tell the ansible playbooks whether to install Splunk or not. Most of the logic is controlled automatically by checks against the files that are present in the container:

  1. checks if the splunk executable exists in the bin/ folder
  2. fetches the Splunk build version/hash from the target URL or file
  3. compares target version/hash to current

The only other way to prevent an install is to launch the container with the no-provision entrypoint command. This will completely prevent any ansible playbooks from executing.

jmeixensperger avatar Apr 07 '25 20:04 jmeixensperger

This is what I ended up doing!

  • Create the container with the "no-provision" argument
  • manually call the entrypoint.sh with the start argument with docker exec
  • when the container is restarted, start splunk manually with docker exec

I really wish there was a cleaner way to achieve this.

Res260 avatar Apr 07 '25 20:04 Res260

bind /opt/splunk (or /opt/splunk/etc) to some place/volume and you'll get it persistent

yaroslav-nakonechnikov avatar May 06 '25 12:05 yaroslav-nakonechnikov