diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 0000000000..f9756c10c1 --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,89 @@ +name: Check and publish Docker images + +on: + pull_request: + push: + branches: [master] + tags: + - 'v*' + - '!v*-dev' + - 'release' + +defaults: + run: + shell: bash + +jobs: + build: + runs-on: ubuntu-latest + env: + TEST_TAG: zeek:latest + steps: + - uses: actions/checkout@v2 + with: + submodules: "recursive" + + # Create and boot a loader. This will e.g., provide caching + # so we avoid rebuilds of the same image after this step. + - uses: docker/setup-buildx-action@v1 + - name: Build + uses: docker/build-push-action@v2 + with: + context: ./ + file: docker/Dockerfile + # Load and tag the image so it can be used by the test job below. + load: true + tags: ${{ env.TEST_TAG }} + + - name: Run btests + run: make -C docker/btest + + - name: Get version + id: version + run: echo "::set-output name=RELEASE_VERSION::$(cat VERSION)" + - name: Compute target tag + id: target + env: + RELEASE_VERSION: ${{ steps.version.outputs.RELEASE_VERSION }} + run: | + # Translate the Github reference into a tag name. + # + # - `release` tag maps to `zeek:latest` + # - `v*` tag (excluding `v*-dev` tags) maps to `zeek:RELEASE_VERSION` + # - `master` branch maps to `zeek-dev:latest` + # + # Any other refs are not published below. + if [ "${GITHUB_REF}" = "refs/tags/release" ]; then + echo "::set-output name=tag::zeek:latest" + elif [ "${GITHUB_REF}" = "refs/heads/master" ]; then + echo "::set-output name=tag::zeek-dev:latest" + elif [[ "${GITHUB_REF}" = refs/heads/v* ]] && [[ "${GITHUB_REF}" != refs/heads/v*-dev ]]; then + echo "::set-output name=tag::zeek:${RELEASE_VERSION}" + fi + + - name: Login to DockerHub + uses: docker/login-action@v1 + # Secrets for the login are not available for pull requests. + if: github.event_name == 'push' + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Push + # Only publish if we did compute a tag. + if: github.event_name == 'push' && steps.target.outputs.tag != '' + uses: docker/build-push-action@v2 + with: + context: ./ + file: docker/Dockerfile + push: true + tags: | + zeekurity/${{ steps.target.outputs.tag}} + + - name: Preserve artifacts + uses: actions/upload-artifact@v2 + if: failure() + with: + name: docker-btest + path: docker/btest/.tmp + if-no-files-found: ignore diff --git a/CHANGES b/CHANGES index d4ea96decb..4c25ffa175 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,12 @@ +4.2.0-dev.218 | 2021-09-24 11:10:30 -0700 + + * Add a minimal containerized Docker environment (Benjamin Bannier, Corelight) + + This patch adds a minimal Zeek environment packaged as a container. + Since this is intended both as a base layer for other images and as a + quick way to explore Zeek we install only zeek and zkg as basic + functionality. + 4.2.0-dev.214 | 2021-09-24 10:31:34 -0700 * script simplification that removes an unnecessary &is_assigned (Vern Paxson, Corelight) diff --git a/NEWS b/NEWS index 2a49e0c8f3..b8d5c19561 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,19 @@ Zeek 4.2.0 New Functionality ----------------- +- We now provide minimal official Docker images for the Zeek project via two + repositories on the Docker hub, ``zeekurity/zeek`` and ``zeekurity/zeek-dev``. + The former receives all Zeek release versions, with tag ``zeek:latest`` being + the most recent. An image corresponding to our latest merge into the master + branch is tagged at ``zeek-dev:latest``. + + The images run Debian and provide a full install of the Zeek distribution into + ``/usr/local/zeek``. They do not set Zeek-specific entrypoints or provide any + particular configuration for operationally running Zeek. To keep the images + lightweight they also do not contain a development toolchain as needed for + example to build a Zeek plugin. You can add any required system packages in a + derived image, or install them directly in the running container. + - Zeek now supports formatting the C++ code using clang-format. It requires at least clang-format 12.0.1 due to some additions that were made in that version to better support the Whitesmiths style. Zeek also includes a set of python diff --git a/VERSION b/VERSION index 93b21fca7a..e0eebfdbd7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.2.0-dev.214 +4.2.0-dev.218 diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000000..4ee11c65d4 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,60 @@ +# See the file "COPYING" in the main distribution directory for copyright. + +# Layer to build Zeek. +FROM debian:bullseye-slim AS build + +# Configure system for build. +RUN apt-get -q update \ + && apt-get install -q -y --no-install-recommends \ + bind9 \ + bison \ + cmake \ + flex \ + g++ \ + gcc \ + libmaxminddb-dev \ + libpcap-dev \ + libssl-dev \ + libz-dev \ + make \ + python3-minimal \ + python3-dev \ + swig \ + ninja-build \ + python3-pip \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Copy over the Zeek source tree. +# NOTE: This assumes that we build in the context of the parent directory (the +# Git checkout root). We e.g., ensure that in the `Makefile` in this directory. +COPY . /src/zeek +RUN make -C /src/zeek distclean + +WORKDIR /src/zeek +RUN ./configure \ + --generator=Ninja \ + --build-type=Release \ + && ninja -C build install + +# Final layer containing all artifacts. +FROM debian:bullseye-slim AS final + +RUN apt-get -q update \ + && apt-get install -q -y --no-install-recommends \ + ca-certificates \ + git \ + libmaxminddb0 \ + libpython3.7 \ + libpcap0.8 \ + libssl1.1 \ + libz1 \ + python3-minimal \ + python3-git \ + python3-semantic-version \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Copy over Zeek installation. +COPY --from=build /usr/local/zeek /usr/local/zeek +ENV PATH "/usr/local/zeek/bin:${PATH}" diff --git a/docker/Makefile b/docker/Makefile new file mode 100644 index 0000000000..696afc690d --- /dev/null +++ b/docker/Makefile @@ -0,0 +1,12 @@ +# See the file "COPYING" in the main distribution directory for copyright. + +VERSION := $$(cat ../VERSION) + +.PHONY: all + +all: + @docker build -t zeek:$(VERSION) -f Dockerfile .. + @docker tag zeek:$(VERSION) zeek:latest + +test: + @TEST_TAG=zeek:$(VERSION) $(MAKE) -C btest diff --git a/docker/README b/docker/README new file mode 100644 index 0000000000..8d3280f161 --- /dev/null +++ b/docker/README @@ -0,0 +1,19 @@ +Container image for Zeek +======================== + +This directory contains a minimal container image for Zeek. This image is +published automatically to [DockerHub](https://hub.docker.com/u/zeekurity) for +releases and for commits on the `master` branch. + +- Images for release are published as + [`zeekurity/zeek`](https://hub.docker.com/r/zeekurity/zeek) with the `latest` + tag pointing to the latest release. +- Development images for the `master` branch are published as + [`zeekurity/zeek-dev`](https://hub.docker.com/r/zeekurity/zeek-dev). + + +To run the image execute e.g.,: + + docker run -it zeekurity/zeek + +To build the image execute `make` from this directory. diff --git a/docker/btest/.gitignore b/docker/btest/.gitignore new file mode 100644 index 0000000000..5b0019848f --- /dev/null +++ b/docker/btest/.gitignore @@ -0,0 +1,3 @@ +.tmp +.btest.failed.dat +diag.log diff --git a/docker/btest/Baseline/docker.structure_tests/output b/docker/btest/Baseline/docker.structure_tests/output new file mode 100644 index 0000000000..0c8a07377a --- /dev/null +++ b/docker/btest/Baseline/docker.structure_tests/output @@ -0,0 +1,20 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +zeek version xxx +XXX +[sources] +zeek = https://github.com/zeek/packages + +[paths] +state_dir = /usr/local/zeek/var/lib/zkg +script_dir = /usr/local/zeek/share/zeek/site +plugin_dir = /usr/local/zeek/lib/zeek/plugins +bin_dir = /usr/local/zeek/bin +zeek_dist = + +[templates] +default = https://github.com/zeek/package-template + + +Installing "zeek/sethhall/domain-tld" +Installed "zeek/sethhall/domain-tld" (XXX) +Loaded "zeek/sethhall/domain-tld" diff --git a/docker/btest/Makefile b/docker/btest/Makefile new file mode 100644 index 0000000000..65d4d65c98 --- /dev/null +++ b/docker/btest/Makefile @@ -0,0 +1,11 @@ +DIAG=diag.log +BTEST=../../auxil/btest/btest + +all: cleanup btest-verbose + +# Showing all tests. +btest-verbose: + @$(BTEST) -d -j -f $(DIAG) + +cleanup: + @rm -f $(DIAG) diff --git a/docker/btest/btest.cfg b/docker/btest/btest.cfg new file mode 100644 index 0000000000..69b30b9184 --- /dev/null +++ b/docker/btest/btest.cfg @@ -0,0 +1,13 @@ +[btest] +TestDirs = docker +TmpDir = %(testbase)s/.tmp +BaselineDir = %(testbase)s/Baseline +IgnoreDirs = .tmp +IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store +MinVersion = 0.63 + +[environment] +LC_ALL=C +PATH=%(testbase)s/../../auxil/btest:%(default_path)s +TEST_IMAGE=${TEST_TAG:-zeek:latest} +TZ=UTC diff --git a/docker/btest/docker/structure_tests.sh b/docker/btest/docker/structure_tests.sh new file mode 100644 index 0000000000..cb6cd2e6f0 --- /dev/null +++ b/docker/btest/docker/structure_tests.sh @@ -0,0 +1,20 @@ +# @TEST-REQUIRES: docker inspect ${TEST_TAG:-zeek:latest} +# @TEST-EXEC: bash -euxo pipefail %INPUT >output +# @TEST-EXEC: btest-diff output + +TEST_TAG=${TEST_TAG:-zeek:latest} + +# Check that `zeek` can be run. +docker run --rm "${TEST_TAG}" zeek -v | sed 's/\(zeek version\) .*/\1 xxx/' + +# Check that this is a release build. +docker run --rm "${TEST_TAG}" zeek-config --build_type | grep -q 'release' + +# Check that `btest` can be run. +docker run --rm "${TEST_TAG}" btest --version | sed 's/^[0-9].*/XXX/g' + +# Check that the zkg config looks valid. +docker run --rm "${TEST_TAG}" zkg config + +# Check that a plugin can be installed. We pick any plugin with minimal deps here. +docker run --rm "${TEST_TAG}" zkg install --force sethhall/domain-tld | sed 's/(.*)/(XXX)/'