This repository was archived by the owner on Jan 15, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeploy.sh
More file actions
executable file
·316 lines (266 loc) · 11.4 KB
/
deploy.sh
File metadata and controls
executable file
·316 lines (266 loc) · 11.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
#!/bin/bash
# Helper function to avoid fixed sleep time waiting for a given container to become available
wait_for_splunk_container ()
{
port=$(docker port $1 8000)
until $(curl --output /dev/null --silent --head --fail http://localhost:${port##*:});
do
printf '.'
sleep 5
done
printf "\n"
}
#
# This is a Splunk Enterprise deployment.
# A valid license file must be present in ths same directory as this script
# Without a valid license, enterprise features will be disabled (replication, ...)
#
LICENSE_FILE="enterprise.lic"
if [ ! -f $LICENSE_FILE ]
then
echo "Splunk license file $LICENSE_FILE not found."
echo "Exiting."
exit 1
fi
#
# Define administrative user for remote management purposes
# This user will be added to all instances in order to allow proper cluster management without interfering with security policies
# --env SPLUNK_CMDx="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme"
#
SPLUNK_ADMIN="admin2"
SPLUNK_ADMIN_PASSWORD=$(openssl rand -hex 12)
echo ">Management user: $SPLUNK_ADMIN/$SPLUNK_ADMIN_PASSWORD"
#
# Define Indexing Cluster Search Factor (SF) Replication factor (RF) and number of Search Peers (SP)
#
SF=1
RF=$(( SF + 1))
SP=$(( RF + 0))
IX_CLUSTER_LABEL="OASIS"
IX_CLUSTER_KEY=$(openssl rand -hex 12)
#
# Define Search Head Cluster parameters, number of members (SH), Label and Secret
#
SH=3
SH_CLUSTER_LABEL="SH_$IX_CLUSTER_LABEL"
SH_CLUSTER_KEY=$(openssl rand -hex 12)
#
# Define number of Universal Forwarders (UF) and Heavy Forwarders (HF)
#
UF=0
HF=0
#
# --- Cleaning old Stuff
#
echo "Cleaning old stuff"
docker rm -vf $(docker ps -aq)
docker network rm splunk
#
# --- Create Network
#
echo "Creating docker network, so all containers will see each other"
docker network create splunk
#
# --- License server
#
echo "Starting License server"
docker run -d --net splunk \
--hostname splunklicenseserver \
--name splunklicenseserver \
--publish 8000 \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
splunk/splunk
wait_for_splunk_container splunklicenseserver
echo "Add License"
docker cp ./$LICENSE_FILE splunklicenseserver:/tmp/enterprise.lic
docker exec splunklicenseserver entrypoint.sh splunk add licenses /tmp/enterprise.lic -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
echo "Disable Indexing on License master"
docker cp ./search_head_outputs.conf splunklicenseserver:/opt/splunk/etc/system/local/
docker exec splunklicenseserver bash -c "cd etc/system/local && cat search_head_outputs.conf >> outputs.conf"
echo "Restarting License server"
docker exec splunklicenseserver entrypoint.sh splunk restart
#
# --- Create Indexing tier
#
# --- Create Indexer Cluster Master
#
echo "Starting Splunk Master"
docker run -d --net splunk \
--hostname splunkmaster \
--name splunkmaster \
--publish 8000 \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
--env SPLUNK_CMD_1="edit cluster-config -mode master -replication_factor $RF -search_factor $SF -secret $IX_CLUSTER_KEY -cluster_label $IX_CLUSTER_LABEL -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
--env SPLUNK_CMD_2="edit licenser-localslave -master_uri https://splunklicenseserver:8089 -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
splunk/splunk
wait_for_splunk_container splunkmaster
echo "Enabling Indexer discovery on Master"
docker cp ./master_server.conf splunkmaster:/opt/splunk/etc/system/local/
docker exec splunkmaster bash -c "cd etc/system/local && cat master_server.conf >> server.conf"
echo "Disable Indexing on Master"
docker cp ./search_head_outputs.conf splunkmaster:/opt/splunk/etc/system/local/
docker exec splunkmaster bash -c "cd etc/system/local && cat search_head_outputs.conf >> outputs.conf"
# Apply changes to cluster role and create master-apps directory
echo "Restarting Master"
docker exec splunkmaster entrypoint.sh splunk restart
wait_for_splunk_container splunkmaster
echo "Upload Test app"
cat apps/TA-oasis-test.tgz | docker exec -i splunkmaster tar Cxzf /opt/splunk/etc/master-apps/ -
echo "Fixing permissions"
docker exec splunkmaster chown -R splunk:splunk /opt/splunk/etc/master-apps/
echo "Applying Bundle"
docker exec splunkmaster entrypoint.sh splunk apply cluster-bundle --answer-yes -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
#
# --- Create Search Heads
#
wait_for_splunk_container splunkmaster # Needed to further build the cluster
SH_LIST="" # Will hold the SH cluster member list
for ((i = 1; i <= $SH; i++)); do
echo "Starting Search Head splunksh$i"
docker run -d --net splunk \
--hostname splunksh$i \
--name splunksh$i \
--publish 8000 \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
--env SPLUNK_CMD_1="edit cluster-config -mode searchhead -master_uri https://splunkmaster:8089 -secret $IX_CLUSTER_KEY -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
--env SPLUNK_CMD_2="edit licenser-localslave -master_uri https://splunklicenseserver:8089 -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
splunk/splunk
SH_LIST+=",https://splunksh$i:8089"
done
for ((i = 1; i <= $SH; i++)); do
wait_for_splunk_container splunksh$i
echo "Disable Indexing on splunksh$i"
docker cp ./search_head_outputs.conf splunksh$i:/opt/splunk/etc/system/local/
docker exec splunksh$i bash -c "cd etc/system/local && cat search_head_outputs.conf >> outputs.conf"
echo "Preparing SH cluster membership"
docker exec splunksh$i entrypoint.sh splunk init shcluster-config -mgmt_uri https://splunksh$i:8089 -replication_port 9200 -secret $SH_CLUSTER_KEY -shcluster_label $SH_CLUSTER_LABEL -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
echo "Restarting splunksh$i"
docker exec splunksh$i entrypoint.sh splunk restart
done
#
# Bootstrap SH cluster from splunksh1 using member list SH_LIST build during initialization getting rid of initial ","
#
echo "Waiting for SHC members to be online ..."
for ((i = 1; i <= $SH; i++)); do
echo ">splunksh$i"
wait_for_splunk_container splunksh$i
done
echo "Bootstrapping SHC..."
docker exec splunksh1 entrypoint.sh splunk bootstrap shcluster-captain -servers_list ${SH_LIST#?} -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
sleep 60
echo "Restarting SHC members..."
docker exec splunksh1 entrypoint.sh splunk rolling-restart shcluster-members
#
# --- Create Search Peers (indexing nodes)
#
wait_for_splunk_container splunkmaster # Needed to further build the cluster
for ((i = 1; i <= $SP; i++)); do
echo "Starting splunkpeer$i"
docker run -d --net splunk \
--hostname splunkpeer$i \
--name splunkpeer$i \
--publish 8000 \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_ENABLE_LISTEN=9997 \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
--env SPLUNK_CMD_1="edit licenser-localslave -master_uri https://splunklicenseserver:8089 -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
splunk/splunk
done
#
# Restart all Peers to apply config changes
#
for ((i = 1; i <= $SP; i++)); do
wait_for_splunk_container splunkpeer$i
docker exec splunkpeer$i entrypoint.sh splunk edit cluster-config -mode slave -master_uri https://splunkmaster:8089 -replication_port 9100 -secret $IX_CLUSTER_KEY -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
wait_for_splunk_container splunkpeer$i
echo "Restarting splunkpeer$i"
docker exec splunkpeer$i entrypoint.sh splunk restart
done
#
# ---- Forwarding tier
#
# --- Create Deployment Server
#
echo "Starting Deployment server for forwarders"
docker run -d --net splunk \
--hostname splunkdeploymentserver \
--name splunkdeploymentserver \
--publish 8000 \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_ENABLE_DEPLOY_SERVER=true \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
splunk/splunk
wait_for_splunk_container splunkdeploymentserver
echo "Disable Indexing on Deployment server"
docker cp ./search_head_outputs.conf splunkdeploymentserver:/opt/splunk/etc/system/local/
docker exec splunkdeploymentserver bash -c "cd etc/system/local && cat search_head_outputs.conf >> outputs.conf"
echo "Upload Apps"
for apps in apps/*.tgz
do
cat "$apps" | docker exec -i splunkdeploymentserver tar Cxzf /opt/splunk/etc/deployment-apps/ -
done
echo "Fixing permissions"
docker exec splunkdeploymentserver chown -R splunk:splunk /opt/splunk/etc/deployment-apps/
echo "Create servereclass.conf"
docker cp ./serverclass.conf splunkdeploymentserver:/opt/splunk/etc/system/local/serverclass.conf
echo "Restarting Deployment server"
docker exec splunkdeploymentserver entrypoint.sh splunk restart
#
# --- Create Universal and Heavy forwarders
#
for ((i = 1; i <= $UF; i++)); do
echo "Starting splunkuf$i"
docker run -d --net splunk \
--name splunkuf$i \
--hostname splunkuf$i \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_DEPLOYMENT_SERVER='splunkdeploymentserver:8089' \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
splunk/universalforwarder
done
sleep 30 # Container has no public port
for ((i = 1; i <= $UF; i++)); do
echo "Enabling splunkuf$i for Indexer discovery"
docker cp ./forwarder_outputs.conf splunkuf$i:/opt/splunk/etc/system/local/outputs.conf
echo "Restarting splunkuf$i"
docker exec splunkuf$i entrypoint.sh splunk restart
done
#
# Generate traffic with
# while true; do echo "$(date) Hello" >> /var/log/dpkg.log; sleep 10; done
#
# --- Heavy Forwarder
#
for ((i = 1; i <= $UF; i++)); do
echo "Starting splunkhf$i"
docker run -d --net splunk \
--hostname splunkhf$i \
--name splunkhf$i \
--publish 8000 \
--env SPLUNK_START_ARGS=--accept-license \
--env SPLUNK_DEPLOYMENT_SERVER='splunkdeploymentserver:8089' \
--env SPLUNK_CMD="add user $SPLUNK_ADMIN -password $SPLUNK_ADMIN_PASSWORD -role admin -auth admin:changeme" \
--env SPLUNK_CMD_1="enable app SplunkForwarder -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
--env SPLUNK_CMD_2="edit licenser-localslave -master_uri https://splunklicenseserver:8089 -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD" \
splunk/splunk
done
for ((i = 1; i <= $UF; i++)); do
wait_for_splunk_container splunkhf$i
echo "Enabling splunkhf$i for Indexer discovery"
docker cp ./forwarder_outputs.conf splunkhf$i:/opt/splunk/etc/system/local/outputs.conf
echo "Restarting splunkhf$i"
docker exec splunkhf$i entrypoint.sh splunk restart
done
#
# Configure Licence Master to host the Monitoring Console
#
# Add cluster components
docker exec splunklicenseserver entrypoint.sh splunk add search-server splunkmaster:8089 -remoteUsername $SPLUNK_ADMIN -remotePassword $SPLUNK_ADMIN_PASSWORD -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
for ((i = 1; i <= $SH; i++)); do
docker exec splunklicenseserver entrypoint.sh splunk add search-server splunksh$i:8089 -remoteUsername $SPLUNK_ADMIN -remotePassword $SPLUNK_ADMIN_PASSWORD -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
done
docker exec splunklicenseserver entrypoint.sh splunk edit cluster-config -mode searchhead -master_uri https://splunkmaster:8089 -secret $IX_CLUSTER_KEY -auth $SPLUNK_ADMIN:$SPLUNK_ADMIN_PASSWORD
docker exec splunklicenseserver entrypoint.sh splunk restart