search

blacktop / docker-zeek

Zeek IDS Dockerfile
MIT License
99 stars 30 forks source link

Enabling the broctl fails the build #3

Closed lbpan closed 5 years ago

lbpan commented 5 years ago

I am trying to build this docker image by removing the --disalbe-broctl option in configure because I want the broctl functionality in my container. I am getting the following error:

-- Found SubnetTree: build from source aux/pysubnettree
CMake Error at aux/broctl/cmake/InstallShellScript.cmake:44 (message): Absolute path to interpreter 'bash' not found, failed to configure shell script: /tmp/zeek/aux/broctl/bin/archive-log Call Stack (most recent call first): aux/broctl/CMakeLists.txt:88 (InstallShellScript)

Please let me know how to build the docker image with broctl

blacktop commented 5 years ago

seems like you need to add bash to the apk add --no-cache line, Alpine by default only ships with /bin/sh to keep it as small as possible.

blacktop commented 5 years ago

please let me know if you get it working, I don't use broctl, but have always wanted to allow for clustered deployments

lbpan commented 5 years ago

I got the broctl to run (with bro 2.5). I had to install python inside the container. The logs are being generated and captured, but broctl reports the status as crashed. The same thing happened with another docker bro image based on Alpine. Is it an Alpine issue?

blacktop commented 5 years ago

Have you seen it work on a ubuntu based docker image?

blacktop commented 5 years ago

Can you give me more info on how you are running it? Are you trying it as a cluster? Or just as a single node?

lbpan commented 5 years ago

I am running as a single node. I am running the image as follows: docker run -d --net=host blacktop/docker-bro -i ens33 -C docker exec -it /bin/bash I ran broctl from bash in the container. The status shows as crashed. The same thing happened with dpisano/docker-bro which is also alpine based. Broctl reports status as crashed, but the logs are being generated and the bro process is running. However, broctl reports correctly on the image I built based on Ubuntu. But the size of the image I built is unwieldly big. Trying to optimize that size.

blacktop commented 5 years ago

Did you ever figure this out?

blacktop commented 5 years ago

Also can you try again with this image because I know the Zeek team has been making a LOT of updates to master

blacktop commented 5 years ago

I think this is because I compile WITHOUT broctl by default --disable-broctl \

this is to make the default zeek image as small as possible.

blacktop commented 5 years ago

I am adding a 🆕 flavor called broctl that should do what you want.