Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/christian/release-6.0-ci-updates' into release/6.0

Browse source 
* origin/topic/christian/release-6.0-ci-updates:
  CI: Remove unused openssl30_config
  ci: Remove ZEEK_CI_DISABLE_SCRIPT_PROFILING logic
  CI: Move Debian variations from 11 to 12
  CI: Add Ubuntu 23.10
  CI: Drop openSUSE Leap 15.4, about to EOL.
  CI: FreeBSD 14 is out now, 12 is about to EOL.
  CI: distro EOL comment tweaks
  CI: drop Fedora 37, add Fedora 39
  CI: Install missing packages on opensuse
  CI: Use other base64 options on macOS Sonoma too
  CI: Add macOS Sonoma build, remove macOS Monterey build
  Fix tests so they work both with GNU and BSD tools
  Install libmaxminddb in macOS CI
  CI: Pass -A flag to btest for cluster-testing builds
  CI: Add more logging during docker builds
  CI: disable Spicy on CentOS 7
  CI: Disable spicy on arm_debian11 and opensuse_leap_15_4 builds
  CI: Remove sanitizers resource template
  Enable ccache-backed Spicy JIT for users of developer scripts.
  Add OpenSUSE Leap 15.5 to ci
This commit is contained in:
Tim Wojtulewicz 2024-01-18 16:25:03 -07:00
commit cd5dbe3a9c
16 changed files with 305 additions and 108 deletions
Download patch file Download diff file Expand all files Collapse all files

111
.cirrus.yml
View file

@ -11,11 +11,11 @@ btest_retries: &BTEST_RETRIES 2
memory: &MEMORY 16GB
config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache
no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache
static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache
asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache
ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache
tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache
openssl30_config: &OPENSSL30_CONFIG --build-type=release --disable-broker-tests --with-openssl=/opt/openssl --prefix=$CIRRUS_WORKING_DIR/install --ccache
resources_template: &RESOURCES_TEMPLATE
cpu: *CPUS
@ -44,13 +44,6 @@ freebsd_environment: &FREEBSD_ENVIRONMENT
ZEEK_CI_CPUS: 8
ZEEK_CI_BTEST_JOBS: 8
sanitizers_resource_template: &SANITIZERS_RESOURCE_TEMPLATE
cpu: 4
# Sanitizers uses a lot more memory than a typical config.
memory: 12GB
# For greediness, see https://medium.com/cirruslabs/introducing-greedy-container-instances-29aad06dc2b4
greedy: true
builds_only_if_template: &BUILDS_ONLY_IF_TEMPLATE
# Rules for skipping builds:
# - Do not run builds for anything that's cron triggered
@ -159,25 +152,22 @@ env:
# a solution for the mtime pruning above.
ZEEK_CCACHE_EPOCH: 2
# Cache Spicy JIT results.
HILTI_CXX_COMPILER_LAUNCHER: ccache
# Linux EOL timelines: https://linuxlifecycle.com/
# Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
fedora39_task:
container:
# Fedora 39 EOL: Around Nov 2024
dockerfile: ci/fedora-39/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
fedora38_task:
container:
# Fedora 38 EOL: Around May 2024
dockerfile: ci/fedora-38/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
fedora37_task:
container:
# Fedora 37 EOL: Around Dec 2024
dockerfile: ci/fedora-37/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
<< : *SKIP_TASK_ON_PR
centosstream9_task:
@ -202,14 +192,35 @@ centos7_task:
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
<< : *SKIP_TASK_ON_PR
env:
ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
debian12_task:
container:
# Debian 12 (bookworm) EOL: (not yet released)
# Debian 12 (bookworm) EOL: TBD
dockerfile: ci/debian-12/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
arm_debian12_task:
arm_container:
# Debian 12 (bookworm) EOL: TBD
dockerfile: ci/debian-12/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
env:
ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
debian12_static_task:
container:
# Just use a recent/common distro to run a static compile test.
# Debian 12 (bookworm) EOL: TBD
dockerfile: ci/debian-12/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
<< : *SKIP_TASK_ON_PR
env:
ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
debian11_task:
container:
@ -217,24 +228,7 @@ debian11_task:
dockerfile: ci/debian-11/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
arm_debian11_task:
arm_container:
# Debian 11 EOL: June 2026
dockerfile: ci/debian-11/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
debian11_static_task:
container:
# Just use a recent/common distro to run a static compile test.
# Debian 11 EOL: June 2026
dockerfile: ci/debian-11/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
<< : *SKIP_TASK_ON_PR
env:
ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
debian10_task:
container:
@ -243,10 +237,10 @@ debian10_task:
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
opensuse_leap_15_4_task:
opensuse_leap_15_5_task:
container:
# Opensuse Leap 15.4 EOL: ~Nov 2023
dockerfile: ci/opensuse-leap-15.4/Dockerfile
# Opensuse Leap 15.5 EOL: ~Dec 2024
dockerfile: ci/opensuse-leap-15.5/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
@ -259,6 +253,13 @@ opensuse_tumbleweed_task:
<< : *CI_TEMPLATE
# << : *SKIP_TASK_ON_PR
ubuntu23_task:
container:
# Ubuntu 23.10 EOL: July 2024
dockerfile: ci/ubuntu-23.10/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
ubuntu22_task:
container:
# Ubuntu 22.04 EOL: April 2027
@ -298,6 +299,13 @@ alpine_task:
# Apple doesn't publish official long-term support timelines.
# We aim to support both the current and previous macOS release.
macos_sonoma_task:
macos_instance:
image: ghcr.io/cirruslabs/macos-sonoma-base:latest
prepare_script: ./ci/macos/prepare.sh
<< : *CI_TEMPLATE
<< : *MACOS_ENVIRONMENT
macos_ventura_task:
macos_instance:
image: ghcr.io/cirruslabs/macos-ventura-base:latest
@ -305,21 +313,11 @@ macos_ventura_task:
<< : *CI_TEMPLATE
<< : *MACOS_ENVIRONMENT
macos_monterey_task:
macos_instance:
image: ghcr.io/cirruslabs/macos-monterey-base:latest
prepare_script: ./ci/macos/prepare.sh
<< : *CI_TEMPLATE
<< : *MACOS_ENVIRONMENT
<< : *SKIP_TASK_ON_PR
# FreeBSD EOL timelines: https://www.freebsd.org/security/#sup
freebsd14_task:
freebsd_instance:
# We don't support FreeBSD 14 yet, this is a purely informative task
image_family: freebsd-14-0-snap
allow_failures: true
skip_notification: true
# FreeBSD 14 EOL: Nov 30 2028
image_family: freebsd-14-0
<< : *FREEBSD_RESOURCES_TEMPLATE
prepare_script: ./ci/freebsd/prepare.sh
@ -341,7 +339,7 @@ asan_sanitizer_task:
container:
# Just uses a recent/common distro to run memory error/leak checks.
dockerfile: ci/ubuntu-20.04/Dockerfile
<< : *SANITIZERS_RESOURCE_TEMPLATE
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
test_fuzzers_script: ./ci/test-fuzzers.sh
@ -349,14 +347,13 @@ asan_sanitizer_task:
env:
CXXFLAGS: -DZEEK_DICT_DEBUG
ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG
ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
ASAN_OPTIONS: detect_leaks=1
ubsan_sanitizer_task:
container:
# Just uses a recent/common distro to run undefined behavior checks.
dockerfile: ci/ubuntu-20.04/Dockerfile
<< : *SANITIZERS_RESOURCE_TEMPLATE
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
<< : *SKIP_TASK_ON_PR
@ -364,7 +361,6 @@ ubsan_sanitizer_task:
env:
CXXFLAGS: -DZEEK_DICT_DEBUG
ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
ZEEK_TAILORED_UB_CHECKS: 1
UBSAN_OPTIONS: print_stacktrace=1
@ -372,7 +368,7 @@ ubsan_sanitizer_task:
# container:
# # Just uses a recent/common distro to run memory error/leak checks.
# dockerfile: ci/ubuntu-22.04/Dockerfile
# << : *SANITIZERS_RESOURCE_TEMPLATE
# << : *RESOURCES_TEMPLATE
# << : *CI_TEMPLATE
# << : *SKIP_TASK_ON_PR
@ -432,6 +428,7 @@ docker_build_template: &DOCKER_BUILD_TEMPLATE
CIRRUS_LOG_TIMESTAMP: true
BUILDER_IMAGE_CACHE_DIR: /tmp/builder-image-cache
ZEEK_IMAGE_CACHE_DIR: /tmp/zeek-image-cache-${CIRRUS_ARCH}
BUILDKIT_PROGRESS: plain
always:
ccache_cache:
@ -630,7 +627,7 @@ cluster_testing_docker_builder:
test_script:
# Invoke btest directly here. This mirrors ci/test.sh, ensures we don't
# accidentally build a Docker image, and enables console-level output:
- cd testing/external/zeek-testing-cluster && ../../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS}
- cd testing/external/zeek-testing-cluster && ../../../auxil/btest/btest -A -d -b -j ${ZEEK_CI_BTEST_JOBS}
on_failure:
upload_cluster_testing_artifacts:
path: "testing/external/zeek-testing-cluster/.tmp/**"

131
CHANGES
View file

@ -1,3 +1,134 @@
6.0.2-42 | 2024-01-18 16:25:03 -0700
* CI: Remove unused openssl30_config (Tim Wojtulewicz, Corelight)
(cherry picked from commit 652ba502aab843574402ec53aa0a6561b21253f3)
* ci: Remove ZEEK_CI_DISABLE_SCRIPT_PROFILING logic (Arne Welzel, Corelight)
To my knowledge this doesn't make a huge difference anymore and locally
I'm only using ASAN builds. It's not actually too slow.
(cherry picked from commit 344369f169b872b8dcb569f089b02e026fe7cfc2)
* CI: Move Debian variations from 11 to 12 (Christian Kreibich, Corelight)
This switches the ARM and static builds from 11 to 12. x86 and ARM now build by
default, and 11 only with fullci. 10 remains as-is, because we like to torture
ourselves.
(cherry picked from commit 4f6c25bb91b935666b6748b95c2b6ee55c1491ad)
* CI: Add Ubuntu 23.10 (Christian Kreibich, Corelight)
(cherry picked from commit 866d4b4127ccfd8904f8867b468babd330dd6d52)
* CI: Drop openSUSE Leap 15.4, about to EOL. (Christian Kreibich, Corelight)
(cherry picked from commit ddd56b9ad7171a9f8ee3de03bc362223f2fad0fc)
* CI: FreeBSD 14 is out now, 12 is about to EOL. (Christian Kreibich, Corelight)
(cherry picked from commit 18b8e6d6bceb4492d842d9bacbd3ad9dfbdd7702)
* CI: distro EOL comment tweaks (Christian Kreibich, Corelight)
(cherry picked from commit eb1c4bf019f6a39f1d76de717eee1b34cdc50378)
* CI: drop Fedora 37, add Fedora 39 (Christian Kreibich, Corelight)
This makes 39 the ony to run at all times, and 38 one to run only with fullci.
(cherry picked from commit ee8cc77050e39aea18f2da144dc8108110bb42dc)
* CI: Install missing packages on opensuse (Tim Wojtulewicz, Corelight)
(cherry picked from commit a3ad1a24f11770d5b8c39af1671beb5d2b4c65b2)
* CI: Use other base64 options on macOS Sonoma too (Tim Wojtulewicz, Corelight)
(cherry picked from commit b1e63ffd268cdb2cd28098a0a8578a3038be8fd4)
* CI: Add macOS Sonoma build, remove macOS Monterey build (Tim Wojtulewicz, Corelight)
(cherry picked from commit 35ca1e88c7f1398c37bcbc4e20700a2aff2c4169)
* Fix tests so they work both with GNU and BSD tools (Benjamin Bannier, Corelight)
The GNU and BSD versions of `touch` and `truncate` allow slightly
different arguments, change the tests so they work in both versions.
(cherry picked from commit caaffd0324ac0557ba4c5ce0290d07a4d013a735)
* Install libmaxminddb in macOS CI (Benjamin Bannier, Corelight)
(cherry picked from commit dfba2d6df707840cabf822d70354f9e2e635b863)
* CI: Pass -A flag to btest for cluster-testing builds (Tim Wojtulewicz, Corelight)
(cherry picked from commit ac7685c679cdb6d61768ac20449175eaaaacc34c)
* CI: Add more logging during docker builds (Tim Wojtulewicz, Corelight)
(cherry picked from commit 3d1380305beaf2e48e22444a285e1f64e4d120d0)
* CI: disable Spicy on CentOS 7 (Christian Kreibich, Corelight)
Based on 1774a25f0079076851232a81247a320ddc31b705 in master, which mainly
touched QUIC configuration that does not apply here just yet, hence not a
cherry-pick.
* CI: Disable spicy on arm_debian11 and opensuse_leap_15_4 builds (Tim Wojtulewicz, Corelight)
These two builds are struggling to complete due to OOM issues. Reducing the
number of CPUs didn't help, so this temporarily disables Spicy from
building on those hosts to reduce the memory usage.
(cherry picked from commit bbf7f34cdc532da4a8fcdc72b8b12afa4f0fdd9c)
* CI: Remove sanitizers resource template (Tim Wojtulewicz, Corelight)
This template was added when the sanitizer builds needed more memory than all
of the other builds. We've since increased the amount of memory that the other
builds use beyond what's requested in this template, so it doesn't make sense
to keep it around.
(cherry picked from commit 4c6c89d8636b249041bdaabbaaaa7b83154295b6)
* Enable ccache-backed Spicy JIT for users of developer scripts. (Benjamin Bannier, Corelight)
For CI and more general BTest execution we already enabled ccache
previously, but developers using a Spicy build out of the build
directory still needed to manually set up caching.
With this patch we enable it for such cases as well via
`zeek-path-dev.*sh`.
(cherry picked from commit e624c7500e442ed3b4595435019c46c69f57eac8)
* Add OpenSUSE Leap 15.5 to ci (Johanna Amann, Corelight)
This also adds 15.4 to the list of distributions that are skipped by
default - let me know if this is not a good idea. I assume that by now
most people will be running 15.5 (15.4 will be EOL in ~3 months).
(cherry picked from commit 4ad2a6ab9a015595e643b572ae27756f038c77dc)
* Run clang-format on the branch to fix some issues from patch merges (Tim Wojtulewicz, Corelight)
* Enable darwin builds for zeek-security repo (Tim Wojtulewicz, Corelight)
(cherry picked from commit c4edd8410e7bd863e5ff528dcc321758103f678d)
* OCSP: Open-code unknown revoke reason strings (Arne Welzel, Corelight)
OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility.
Reference: https://github.com/openssl/openssl/commit/1c8a7f5091e2c5aebc043be86bcbedc6947e1c6f
(cherry picked from commit 02d00a19849d15f472b32a98a8fee27b20f2cb14)
* Revert update to scripts.base.protocols.ssl.ocsp-revoked btest baseline (Tim Wojtulewicz)
6.0.2-15 | 2024-01-12 13:33:19 -0700
* Bump Spicy to latest LTS release. (Benjamin Bannier, Corelight)

9
CMakeLists.txt
View file

@ -525,7 +525,16 @@ file(
"setenv HILTI_CXX_INCLUDE_DIRS \"`${cmake_binary_dir}/hilti-cxx-include-dirs`\"\n"
"setenv ZEEK_SPICY_LIBRARY_PATH \"${cmake_source_dir}/scripts/spicy\"\n")
if (CMAKE_CXX_COMPILER_LAUNCHER)
file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
"export HILTI_CXX_COMPILER_LAUNCHER=${CMAKE_CXX_COMPILER_LAUNCHER}\n")
file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
"setenv HILTI_CXX_COMPILER_LAUNCHER=${CMAKE_CXX_COMPILER_LAUNCHER}\n")
endif ()
file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
execute_process(
COMMAND grep "^constexpr int PLUGIN_API_VERSION"
INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h

2
VERSION
View file

@ -1 +1 @@
6.0.2-15
6.0.2-42

4
ci/fedora-37/Dockerfile → ci/fedora-39/Dockerfile
View file

@ -1,8 +1,8 @@
FROM fedora:37
FROM fedora:39
# A version field to invalidate Cirrus's build cache when needed, as suggested in
# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
ENV DOCKERFILE_VERSION 20230816
ENV DOCKERFILE_VERSION 20231208
RUN dnf -y install \
bison \

4
ci/init-external-repos.sh
View file

@ -51,8 +51,8 @@ if [[ -n "${CIRRUS_CI}" ]] && [[ "${CIRRUS_REPO_OWNER}" == "zeek" ]] && [[ ! -d
banner "Trying to clone zeek-testing-private git repo"
echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" >cirrus_key.b64
if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" ]; then
# The base64 command provided with macOS Ventura requires an argument
if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" -o "${CIRRUS_TASK_NAME}" == "macos_sonoma" ]; then
# The base64 command provided with macOS Ventura/Sonoma requires an argument
# to pass the input filename
base64 -d -i cirrus_key.b64 >cirrus_key
else

2
ci/macos/prepare.sh
View file

@ -7,7 +7,7 @@ set -x
brew update
brew upgrade cmake
brew install openssl@3 swig bison flex ccache
brew install openssl@3 swig bison flex ccache libmaxminddb
python3 -m pip install --user websockets
# Brew doesn't create the /opt/homebrew/opt/openssl symlink if you install

25
ci/opensuse-leap-15.4/Dockerfile → ci/opensuse-leap-15.5/Dockerfile
View file

@ -1,10 +1,10 @@
FROM opensuse/leap:15.4
FROM opensuse/leap:15.5
# A version field to invalidate Cirrus's build cache when needed, as suggested in
# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
ENV DOCKERFILE_VERSION 20230816
ENV DOCKERFILE_VERSION 20230905
RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.4:Update/standard/openSUSE:Leap:15.4:Update.repo \
RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.5:Update/standard/openSUSE:Leap:15.5:Update.repo \
&& zypper refresh \
&& zypper in -y \
bison \
@ -12,23 +12,28 @@ RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.4
cmake \
curl \
flex \
gcc10 \
gcc10-c++ \
gcc12 \
gcc12-c++ \
git \
gzip \
libopenssl-devel \
libpcap-devel \
make \
python3 \
python3-devel \
python3-pip \
openssh \
python311 \
python311-devel \
python311-pip \
swig \
tar \
which \
zlib-devel \
&& rm -rf /var/cache/zypp
RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.11 100
RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 100
RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.11-config 100
RUN pip3 install websockets junit2html
RUN update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-10 100
RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-10 100
RUN update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-12 100
RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-12 100

4
ci/opensuse-tumbleweed/Dockerfile
View file

@ -25,9 +25,11 @@ RUN zypper refresh \
libopenssl-devel \
libpcap-devel \
make \
openssh \
python3 \
python3-devel \
python3-pip \
python3-websockets \
swig \
tar \
util-linux \
@ -35,4 +37,4 @@ RUN zypper refresh \
zlib-devel \
&& rm -rf /var/cache/zypp
RUN pip3 install --break-system-packages websockets junit2html
RUN pip3 install --break-system-packages junit2html

16
ci/test.sh
View file

@ -59,13 +59,6 @@ function run_btests {
pushd testing/btest
# Commenting out this line in btest.cfg causes the script profiling/coverage
# to be disabled. We do this for the sanitizer build right now because of a
# fairly significant performance bug when running tests.
if [ "${ZEEK_CI_DISABLE_SCRIPT_PROFILING}" = "1" ]; then
sed -i 's/^ZEEK_PROFILER_FILE/#ZEEK_PROFILER_FILE/g' btest.cfg
fi
${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} || result=1
make coverage
prep_artifacts
@ -74,15 +67,6 @@ function run_btests {
}
function run_external_btests {
# Commenting out this line in btest.cfg causes the script profiling/coverage
# to be disabled. We do this for the sanitizer build right now because of a
# fairly significant performance bug when running tests.
if [ "${ZEEK_CI_DISABLE_SCRIPT_PROFILING}" = "1" ]; then
pushd testing/external
sed -i 's/^ZEEK_PROFILER_FILE/#ZEEK_PROFILER_FILE/g' subdir-btest.cfg
popd
fi
local zeek_testing_pid=""
local zeek_testing_pid_private=""
pushd testing/external/zeek-testing

38
ci/ubuntu-23.10/Dockerfile Normal file
View file

@ -0,0 +1,38 @@
FROM ubuntu:23.10
ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
# A version field to invalidate Cirrus's build cache when needed, as suggested in
# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
ENV DOCKERFILE_VERSION 20230828
RUN apt-get update && apt-get -y install \
bc \
bison \
bsdmainutils \
ccache \
cmake \
curl \
flex \
g++ \
gcc \
git \
libkrb5-dev \
libmaxminddb-dev \
libpcap-dev \
libssl-dev \
make \
python3 \
python3-dev \
python3-pip \
python3-websockets \
ruby \
sqlite3 \
swig \
unzip \
wget \
zlib1g-dev \
&& apt autoclean \
&& rm -rf /var/lib/apt/lists/*
RUN pip3 install --break-system-packages junit2html

5
docker/builder.Dockerfile
View file

@ -3,6 +3,11 @@
# Layer to build Zeek.
FROM debian:bookworm-slim
# Make the shell split commands in the log so we can determine reasons for
# failures more easily.
SHELL ["/bin/sh", "-x", "-c"]
# Allow apt to retry 3 times before failing.
RUN echo 'Acquire::Retries "3";' > /etc/apt/apt.conf.d/80-retries
# Configure system for build.

5
docker/final.Dockerfile
View file

@ -3,6 +3,11 @@
# Final layer containing all artifacts.
FROM debian:bookworm-slim
# Make the shell split commands in the log so we can determine reasons for
# failures more easily.
SHELL ["/bin/sh", "-x", "-c"]
# Allow apt to retry 3 times before failing.
RUN echo 'Acquire::Retries "3";' > /etc/apt/apt.conf.d/80-retries
RUN apt-get -q update \

8
testing/btest/Baseline/core.mmdb.temporary-error/reporter.log
View file

@ -3,15 +3,15 @@ ts level message location
1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] <params>, line 1
1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] <params>, line 1
1299470395.000000 Reporter::INFO Failed to open MaxMind DB: .<...>/GeoLite2-ASN.mmdb [The MaxMind DB file contains invalid metadata] <params>, line 1
1299470395.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 83
1299470395.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 98
1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] <params>, line 1
1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] <params>, line 1
1299470395.000000 Reporter::INFO Failed to open MaxMind DB: .<...>/GeoLite2-City.mmdb [The MaxMind DB file contains invalid metadata] <params>, line 1
1299470395.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 84
1299470395.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 99
1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] <params>, line 1
1299473995.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 83
1299473995.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 98
1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] <params>, line 1
1299473995.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 84
1299473995.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 99
1299477595.000000 Reporter::INFO Inode change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] <params>, line 1
1299477595.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] <params>, line 1
1299477595.000000 Reporter::INFO Inode change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] <params>, line 1

12
testing/btest/core/mmdb/reopen.zeek
View file

@ -14,17 +14,23 @@ redef mmdb_dir = "./mmdb";
global pkt = 0;
function timestamp(n: count): string
{
return fmt("2020-01-01T00:%s:00", n);
}
event new_packet(c: connection, p: pkt_hdr)
{
++pkt;
# Set MMDB's modification time to current network time.
# Increment MMDB's modification time.
local asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb");
local city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb");
if ( ! piped_exec(fmt("touch -d @%s %s", network_time(), asn_fn), "") )
if ( ! piped_exec(fmt("touch -d %s %s", timestamp(pkt), asn_fn), "") )
exit(1);
if ( ! piped_exec(fmt("touch -d @%s %s", network_time(), city_fn), "") )
if ( ! piped_exec(fmt("touch -d %s %s", timestamp(pkt), city_fn), "") )
exit(1);
print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1);

37
testing/btest/core/mmdb/temporary-error.zeek
View file

@ -15,16 +15,31 @@ redef mmdb_dir = "./mmdb";
global pkt = 0;
global asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb");
global city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb");
global asn_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-ASN.mmdb");
global city_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-City.mmdb");
function timestamp(n: count): string
{
return fmt("2020-01-01T00:%s:00", n);
}
event zeek_init()
{
# Set the initial modification time for the MMDBs.
for ( db in vector(asn_fn, city_fn, asn_fn_backup, city_fn_backup) )
{
if ( ! piped_exec(fmt("test -f %s && touch -d %s %s", db, timestamp(pkt), db), "") )
exit(1);
}
}
event new_packet(c: connection, p: pkt_hdr)
{
++pkt;
local asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb");
local city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb");
local asn_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-ASN.mmdb");
local city_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-City.mmdb");
if ( pkt == 1 )
{
print "start";
@ -32,10 +47,10 @@ event new_packet(c: connection, p: pkt_hdr)
if ( pkt == 2 )
{
print "corrupting db";
if ( ! piped_exec(fmt("truncate --size=8 %s", asn_fn), "") )
if ( ! piped_exec(fmt("truncate -s 8 %s", asn_fn), "") )
exit(1);
if ( ! piped_exec(fmt("truncate --size=8 %s", city_fn), "") )
if ( ! piped_exec(fmt("truncate -s 8 %s", city_fn), "") )
exit(1);
}
else if ( pkt == 4 )
@ -73,11 +88,11 @@ event new_packet(c: connection, p: pkt_hdr)
exit(1);
}
# Set MMDB's modification time to current network time for predictability.
if ( ! piped_exec(fmt("test -f %s && touch -d @%s %s", asn_fn, network_time(), asn_fn), "") )
# Increment MMDB's modification time.
if ( ! piped_exec(fmt("test -f %s && touch -d %s %s", asn_fn, timestamp(pkt), asn_fn), "") )
exit(1);
if ( ! piped_exec(fmt("test -f %s && touch -d @%s %s", city_fn, network_time(), city_fn), "") )
if ( ! piped_exec(fmt("test -f %s && touch -d %s %s", city_fn, timestamp(pkt), city_fn), "") )
exit(1);
print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1);