Merge branch 'topic/bbannier/issue-1625'

* topic/bbannier/issue-1625:
  Switch published container image to debian:bullseye-slim
  Test container with BTest instead of container-structure-tests
  Add a minimal containerized environment

.github/workflows/docker.yml

@@ -0,0 +1,89 @@
+name: Check and publish Docker images
+
+on:
+  pull_request:
+  push:
+    branches: [master]
+    tags:
+      - 'v*'
+      - '!v*-dev'
+      - 'release'
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      TEST_TAG: zeek:latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: "recursive"
+
+      # Create and boot a loader. This will e.g., provide caching
+      # so we avoid rebuilds of the same image after this step.
+      - uses: docker/setup-buildx-action@v1
+      - name: Build
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          file: docker/Dockerfile
+          # Load and tag the image so it can be used by the test job below.
+          load: true
+          tags: ${{ env.TEST_TAG }}
+
+      - name: Run btests
+        run: make -C docker/btest
+
+      - name: Get version
+        id: version
+        run: echo "::set-output name=RELEASE_VERSION::$(cat VERSION)"
+      - name: Compute target tag
+        id: target
+        env:
+          RELEASE_VERSION: ${{ steps.version.outputs.RELEASE_VERSION }}
+        run: |
+          # Translate the Github reference into a tag name.
+          #
+          # - `release` tag maps to `zeek:latest`
+          # - `v*` tag (excluding `v*-dev` tags) maps to `zeek:RELEASE_VERSION`
+          # - `master` branch maps to `zeek-dev:latest`
+          #
+          # Any other refs are not published below.
+          if [ "${GITHUB_REF}" = "refs/tags/release" ]; then
+            echo "::set-output name=tag::zeek:latest"
+          elif [ "${GITHUB_REF}" = "refs/heads/master" ]; then
+            echo "::set-output name=tag::zeek-dev:latest"
+          elif [[ "${GITHUB_REF}" = refs/heads/v* ]] && [[ "${GITHUB_REF}" != refs/heads/v*-dev ]]; then
+            echo "::set-output name=tag::zeek:${RELEASE_VERSION}"
+          fi
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        # Secrets for the login are not available for pull requests.
+        if: github.event_name == 'push'
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Push
+        # Only publish if we did compute a tag.
+        if: github.event_name == 'push' && steps.target.outputs.tag != ''
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          file: docker/Dockerfile
+          push: true
+          tags: |
+            zeekurity/${{ steps.target.outputs.tag}}
+
+      - name: Preserve artifacts
+        uses: actions/upload-artifact@v2
+        if: failure()
+        with:
+          name: docker-btest
+          path: docker/btest/.tmp
+          if-no-files-found: ignore

CHANGES

@@ -1,3 +1,12 @@
+4.2.0-dev.218 | 2021-09-24 11:10:30 -0700
+
+  * Add a minimal containerized Docker environment (Benjamin Bannier, Corelight)
+
+    This patch adds a minimal Zeek environment packaged as a container.
+    Since this is intended both as a base layer for other images and as a
+    quick way to explore Zeek we install only zeek and zkg as basic
+    functionality.
+
 4.2.0-dev.214 | 2021-09-24 10:31:34 -0700
 
   * script simplification that removes an unnecessary &is_assigned (Vern Paxson, Corelight)

NEWS

@@ -9,6 +9,19 @@ Zeek 4.2.0
 New Functionality
 -----------------
 
+- We now provide minimal official Docker images for the Zeek project via two
+  repositories on the Docker hub, ``zeekurity/zeek`` and ``zeekurity/zeek-dev``.
+  The former receives all Zeek release versions, with tag ``zeek:latest`` being
+  the most recent. An image corresponding to our latest merge into the master
+  branch is tagged at ``zeek-dev:latest``.
+
+  The images run Debian and provide a full install of the Zeek distribution into
+  ``/usr/local/zeek``. They do not set Zeek-specific entrypoints or provide any
+  particular configuration for operationally running Zeek. To keep the images
+  lightweight they also do not contain a development toolchain as needed for
+  example to build a Zeek plugin. You can add any required system packages in a
+  derived image, or install them directly in the running container.
+
 - Zeek now supports formatting the C++ code using clang-format. It requires at
   least clang-format 12.0.1 due to some additions that were made in that version
   to better support the Whitesmiths style. Zeek also includes a set of python

VERSION

@@ -1 +1 @@
-4.2.0-dev.214
+4.2.0-dev.218

docker/Dockerfile

@@ -0,0 +1,60 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+# Layer to build Zeek.
+FROM debian:bullseye-slim AS build
+
+# Configure system for build.
+RUN apt-get -q update \
+ && apt-get install -q -y --no-install-recommends \
+     bind9 \
+     bison \
+     cmake \
+     flex \
+     g++ \
+     gcc \
+     libmaxminddb-dev \
+     libpcap-dev \
+     libssl-dev \
+     libz-dev \
+     make \
+     python3-minimal \
+     python3-dev \
+     swig \
+     ninja-build \
+     python3-pip \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+# Copy over the Zeek source tree.
+# NOTE: This assumes that we build in the context of the parent directory (the
+# Git checkout root). We e.g., ensure that in the `Makefile` in this directory.
+COPY . /src/zeek
+RUN make -C /src/zeek distclean
+
+WORKDIR /src/zeek
+RUN ./configure \
+     --generator=Ninja \
+     --build-type=Release \
+ && ninja -C build install
+
+# Final layer containing all artifacts.
+FROM debian:bullseye-slim AS final
+
+RUN apt-get -q update \
+ && apt-get install -q -y --no-install-recommends \
+     ca-certificates \
+     git \
+     libmaxminddb0 \
+     libpython3.7 \
+     libpcap0.8 \
+     libssl1.1 \
+     libz1 \
+     python3-minimal \
+     python3-git \
+     python3-semantic-version \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+# Copy over Zeek installation.
+COPY --from=build /usr/local/zeek /usr/local/zeek
+ENV PATH "/usr/local/zeek/bin:${PATH}"

docker/Makefile

@@ -0,0 +1,12 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+VERSION := $$(cat ../VERSION)
+
+.PHONY: all
+
+all:
+	@docker build -t zeek:$(VERSION) -f Dockerfile ..
+	@docker tag zeek:$(VERSION) zeek:latest
+
+test:
+	@TEST_TAG=zeek:$(VERSION) $(MAKE) -C btest

docker/README

@@ -0,0 +1,19 @@
+Container image for Zeek
+========================
+
+This directory contains a minimal container image for Zeek. This image is
+published automatically to [DockerHub](https://hub.docker.com/u/zeekurity) for
+releases and for commits on the `master` branch.
+
+- Images for release are published as
+  [`zeekurity/zeek`](https://hub.docker.com/r/zeekurity/zeek) with the `latest`
+  tag pointing to the latest release.
+- Development images for the `master` branch are published as
+  [`zeekurity/zeek-dev`](https://hub.docker.com/r/zeekurity/zeek-dev).
+
+
+To run the image execute e.g.,:
+
+    docker run -it zeekurity/zeek
+
+To build the image execute `make` from this directory.

docker/btest/.gitignore

@@ -0,0 +1,3 @@
+.tmp
+.btest.failed.dat
+diag.log

docker/btest/Baseline/docker.structure_tests/output

@@ -0,0 +1,20 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+zeek version xxx
+XXX
+[sources]
+zeek = https://github.com/zeek/packages
+
+[paths]
+state_dir = /usr/local/zeek/var/lib/zkg
+script_dir = /usr/local/zeek/share/zeek/site
+plugin_dir = /usr/local/zeek/lib/zeek/plugins
+bin_dir = /usr/local/zeek/bin
+zeek_dist = 
+
+[templates]
+default = https://github.com/zeek/package-template
+
+
+Installing "zeek/sethhall/domain-tld"
+Installed "zeek/sethhall/domain-tld" (XXX)
+Loaded "zeek/sethhall/domain-tld"

docker/btest/Makefile

@@ -0,0 +1,11 @@
+DIAG=diag.log
+BTEST=../../auxil/btest/btest
+
+all: cleanup btest-verbose
+
+# Showing all tests.
+btest-verbose:
+	@$(BTEST) -d -j -f $(DIAG)
+
+cleanup:
+	@rm -f $(DIAG)

docker/btest/btest.cfg

@@ -0,0 +1,13 @@
+[btest]
+TestDirs    = docker
+TmpDir      = %(testbase)s/.tmp
+BaselineDir = %(testbase)s/Baseline
+IgnoreDirs  = .tmp
+IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store
+MinVersion  = 0.63
+
+[environment]
+LC_ALL=C
+PATH=%(testbase)s/../../auxil/btest:%(default_path)s
+TEST_IMAGE=${TEST_TAG:-zeek:latest}
+TZ=UTC

docker/btest/docker/structure_tests.sh

@@ -0,0 +1,20 @@
+# @TEST-REQUIRES: docker inspect ${TEST_TAG:-zeek:latest}
+# @TEST-EXEC: bash -euxo pipefail %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+TEST_TAG=${TEST_TAG:-zeek:latest}
+
+# Check that `zeek` can be run.
+docker run --rm "${TEST_TAG}" zeek -v | sed 's/\(zeek version\) .*/\1 xxx/'
+
+# Check that this is a release build.
+docker run --rm "${TEST_TAG}" zeek-config --build_type | grep -q 'release'
+
+# Check that `btest` can be run.
+docker run --rm "${TEST_TAG}" btest --version | sed 's/^[0-9].*/XXX/g'
+
+# Check that the zkg config looks valid.
+docker run --rm "${TEST_TAG}" zkg config
+
+# Check that a plugin can be installed. We pick any plugin with minimal deps here.
+docker run --rm "${TEST_TAG}" zkg install --force sethhall/domain-tld | sed 's/(.*)/(XXX)/'