Splunk® Data Stream Processor

Install and administer the Data Stream Processor

DSP 1.2.0 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Additional installation considerations

You may have to perform additional prerequisites in order to successfully install DSP in your system. These prerequisites vary depending on your own system configuration.

Starting from DSP 1.1.0, Gravity loads and configures the required kernel modules for you as part of the installation process. However, if your environment includes automation that overrides these modules, you need to load the required kernel modules manually. For a list of required kernel modules, see Kernel Modules in the Gravitational documentation.

Load network bridge drivers

Depending on your operating system, you may need to load network bridge drivers.

  1. Check to see if network bridge drivers have been loaded on your operating system. If enabled, the output number should be 1.
    sysctl net.bridge.bridge-nf-call-iptables
    
    net.bridge.bridge-nf-call-iptables = 1
  2. If you receive an error message sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory you must add br_netfilter kernel module to the k8s.conf file and load the module into the kernel before you can load the network bridge drivers.
    1. Add the br_netfilter kernel module to the configuration file.
      cat <<EOF > /etc/modules-load.d/k8s.conf
      br_netfilter
      EOF
    2. Load the br_netfilter kernel module.
      modprobe br_netfilter
  3. If the network bridge driver has not been loaded, run the following commands.
    1. Load network bridge drivers.
      sysctl -w net.bridge.bridge-nf-call-iptables=1
    2. Persist this setting.
      echo net.bridge.bridge-nf-call-iptables=1 >> /etc/sysctl.d/10-bridge-nf-call-iptables.conf

Increase inotify watches

When installing DSP on Centos or RedHat, you should increase inotify watches to 1048576.

  1. On each node, edit the /etc/sysctl.d/99-sysctl.conf file.
  2. Add the following line:
    fs.inotify.max_user_watches=1048576
  3. Save your changes.
  4. From the command-line of the controller node, type the following command:
    sysctl -p /etc/sysctl.d/99-sysctl.conf

Enable IPv4 Forwarding

Depending on your operating system, you may need to enable IPv4 Forwarding.

  1. (Optional) Check to see if IPv4 forwarding is enabled on your operating system by running the following command. If enabled, the output number should be 1.
    sysctl net.ipv4.ip_forward
    
    net.ipv4.ip_forward = 1
  2. Enable IPv4 forwarding.
    sysctl -w net.ipv4.ip_forward=1
  3. Save the IPv4 settings.
    1. (Optional) If you are using Ubuntu and you already have a sysctl.conf file, you can update the existing net.ipv4.ip_forward setting by opening the /etc/sysctl.conf file, and uncommenting the line that has the IPv4 setting. After you've enabled IPv4 forwarding, skip to step 4.
    2. Otherwise, run the following command:
      echo net.ipv4.ip_forward=1 >> /etc/sysctl.d/10-ipv4-forwarding-on.conf
  4. Load the sysctl settings:
    sysctl -p

Firewalld

If firewalld is enabled in the Operating System, Kubernetes services may not be able to communicate under default configuration. Run the following commands on each node in your cluster.

firewall-cmd --zone=trusted --add-source=10.244.0.0/16 --permanent # pod subnet
firewall-cmd --zone=trusted --add-source=10.100.0.0/16 --permanent # service subnet
firewall-cmd --zone=trusted --add-interface=eth0 --permanent   # enable eth0 in trusted zone so nodes can communicate
firewall-cmd --zone=trusted --add-masquerade --permanent       # masquerading so packets can be routed back
firewall-cmd --reload
systemctl restart firewalld

Install and set up bash-completion

Kubectl provides autocompletion support for bash. Depending on your Linux install configuration, you may need to install bash-completion. You can check if you have bash-completion already installed by running type _init_completion.

  1. Use your Linux distribution package manager to install bash-completion:
    • For RedHat, CentoOS, and Amazon Linux, type: yum install bash-completion.
    • For Ubuntu, type: apt-get install bash-completion.
  2. Verify that bash-completion is installed and configured: type _init_completion. If the command fails, edit your ~/.bashrc file and add: source /usr/share/bash-completion/bash_completion.
  3. Enable bash-completion in kubectl. There are two ways that this can be done:
    1. Source the kubectl bash-completion in your ~/.bashrc file: echo 'source <(kubectl completion bash)' >>~/.bashrc.
    2. Add bash-complete to the /etc/bash_completion.d directory: kubectl completion bash >/etc/bash_completion.d/kubectl.
  4. Restart your bash session.

For more information see Enabling shell autocompletion in the Kubernetes Install and Set Up kubectl manual.

Last modified on 13 January, 2023
Network Encryption Policy   Install the Splunk Data Stream Processor

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters