search

zeek / zeek-docker

Docker files for building Zeek.
86 stars 34 forks source link

Building Zeek from Dockerfile error #20

Closed ghost closed 3 years ago

ghost commented 3 years ago

Hi team,

You are doing a wicked job. I am trying to build the Zeek from Dockerfile but I am failling doing this. I have a MAC OS and planning to use Zeek from Docker. I need to install it directly in Docker without downloading it from Github and install it from my Github.


 => ERROR [builder 6/7] ADD ./common/buildbro /scratch/common/buildbro                                                                          0.0s
 => CACHED [builder 7/7] RUN /scratch/common/buildbro bro 2.6                                                                                   0.0s
 => CACHED [stage-2 3/6] COPY --from=builder /usr/local/bro-2.6 /usr/local/bro-2.6                                                              0.0s
 => CACHED [geogetter 2/4] RUN apt-get update && apt-get -y install wget ca-certificates --no-install-recommends                                0.0s
 => ERROR [geogetter 3/4] ADD ./common/getmmdb.sh /usr/local/bin/getmmdb.sh                                                                     0.0s
 => CACHED [geogetter 4/4] RUN /usr/local/bin/getmmdb.sh                                                                                        0.0s
 => CACHED [stage-2 4/6] COPY --from=geogetter /usr/share/GeoIP/* /usr/share/GeoIP/                                                             0.0s
 => CACHED [stage-2 5/6] RUN ln -s /usr/local/bro-2.6 /bro                                                                                      0.0s
 => ERROR [stage-2 6/6] ADD ./common/bro_profile.sh /etc/profile.d/bro.sh                                                                       0.0s
------
 > [builder 6/7] ADD ./common/buildbro /scratch/common/buildbro:
------
------
 > [geogetter 3/4] ADD ./common/getmmdb.sh /usr/local/bin/getmmdb.sh:
------
------
 > [stage-2 6/6] ADD ./common/bro_profile.sh /etc/profile.d/bro.sh:
------
failed to compute cache key: failed to walk /var/lib/docker/tmp/buildkit-mount291340364/common: lstat /var/lib/docker/tmp/buildkit-mount291340364/common: no such file or directory
ERROR: Service 'zeek' failed to build

Can you please advise which is the correct image to use for directly installing it from Docker?

Thank you!

Kisses99 commented 3 years ago

Have you tried docker build --no-cache?

On Sun, Mar 14, 2021, 10:15 AM Mr Right @.***> wrote:

Hi team,

You are doing a wicked job. I am trying to build the Zeek from Dockerfile but I am failling doing this. I have a MAC OS and planning to use Zeek from Docker. I need to install it directly in Docker without downloading it from Github and install it from my Github. => ERROR [builder 6/7] ADD ./common/buildbro /scratch/common/buildbro 0.0s => CACHED [builder 7/7] RUN /scratch/common/buildbro bro 2.6 0.0s => CACHED [stage-2 3/6] COPY --from=builder /usr/local/bro-2.6 /usr/local/bro-2.6 0.0s => CACHED [geogetter 2/4] RUN apt-get update && apt-get -y install wget ca-certificates --no-install-recommends 0.0s => ERROR [geogetter 3/4] ADD ./common/getmmdb.sh /usr/local/bin/getmmdb.sh 0.0s => CACHED [geogetter 4/4] RUN /usr/local/bin/getmmdb.sh 0.0s => CACHED [stage-2 4/6] COPY --from=geogetter /usr/share/GeoIP/* /usr/share/GeoIP/ 0.0s => CACHED [stage-2 5/6] RUN ln -s /usr/local/bro-2.6 /bro 0.0s => ERROR [stage-2 6/6] ADD ./common/bro_profile.sh /etc/profile.d/bro.sh 0.0s

[builder 6/7] ADD ./common/buildbro /scratch/common/buildbro:

[geogetter 3/4] ADD ./common/getmmdb.sh /usr/local/bin/getmmdb.sh:

[stage-2 6/6] ADD ./common/bro_profile.sh /etc/profile.d/bro.sh:

failed to compute cache key: failed to walk /var/lib/docker/tmp/buildkit-mount291340364/common: lstat /var/lib/docker/tmp/buildkit-mount291340364/common: no such file or directory ERROR: Service 'zeek' failed to build

Can you please advise which is the correct image to use for directly installing it from Docker?

Thank you!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/zeek/zeek-docker/issues/20, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABSELUOENIGC7K56VRXNU5LTDTAJHANCNFSM4ZFAQHWA .

ghost commented 3 years ago

Am running it from docker-compose as I plan to use it with ELK.

zeek:
    depends_on:
      - filebeat
    container_name: zeek
    build: ./zeek
    volumes:
      - ./pcap:/pcap
      - ./zeek/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek
    networks:
      - elastic

The Dockerfile is in my zeek folder

ghost commented 3 years ago

I got the same error with docker build --no-cache .

JustinAzoff commented 3 years ago

You are using the 2.6.Dockerfile for bro 2.6 for some reason. You should be using https://github.com/zeek/zeek-docker/blob/master/Dockerfile and using -build-arg ZEEK_VER=4.0.0 or whatever to build the version you want.

ghost commented 3 years ago

I did as you said.

docker build --build-arg ZEEK_VER=4.0.0 -t zeek_test .

 => CANCELED [stage-2 2/8] RUN apt-get update     && apt-get -y install --no-install-recommends libpcap0.8 libssl1.1 libmaxminddb0 pyt  1.3s
 => CACHED [builder 2/9] RUN mkdir /scratch                                                                                             0.0s
 => CACHED [builder 3/9] WORKDIR /scratch                                                                                               0.0s
 => CACHED [builder 4/9] RUN apt-get update && apt-get upgrade -y && echo 2010-05-15                                                    0.0s
 => CACHED [builder 5/9] RUN apt-get -y install build-essential git bison flex gawk cmake swig libssl-dev libmaxminddb-dev libpcap-dev  0.0s
 => ERROR [builder 6/9] ADD ./common/buildbro /scratch/common/buildbro                                                                  0.0s
 => CACHED [builder 7/9] RUN /scratch/common/buildbro zeek 4.0.0 Release                                                                0.0s
 => ERROR [builder 8/9] ADD ./common/getmmdb.sh /usr/local/getmmdb.sh                                                                   0.0s
 => ERROR [builder 9/9] ADD ./common/bro_profile.sh /usr/local/bro_profile.sh                                                           0.0s
------
 > [builder 6/9] ADD ./common/buildbro /scratch/common/buildbro:
------
------
 > [builder 8/9] ADD ./common/getmmdb.sh /usr/local/getmmdb.sh:
------
------
 > [builder 9/9] ADD ./common/bro_profile.sh /usr/local/bro_profile.sh:
------
failed to compute cache key: "/common/buildbro" not found: not found
JustinAzoff commented 3 years ago

that kind of looks like your docker install is having issues. Is that the only thing it outputs? Looks like that is using the new buildkit stuff.

docker build --progress=plain ... might show more useful output, and DOCKER_BUILDKIT=0 docker build ... might work better

ghost commented 3 years ago

Hi guys,

with all the respect, it doesn't work. I still have errors while trying to build it on a docker-compose file. Changed the OS to Ubuntu and still get the same error while runing the build from docker-compose or simply Docker.

JustinAzoff commented 3 years ago

ok, same as before: docker build --progress=plain ... might show more useful output, and DOCKER_BUILDKIT=0 docker build ... might work better.

The Dockerfile works fine on all the systems I have. It's possible that something is broken on the latest version of docker, but it's not clear what that is from that output since it's building it in parallel and using the compact output.

Also not sure why you need to build it. You can just use the image at broplatform/bro:4.0.0 (which will be under zeek as soon as I do the migration)

$ docker run -t -i --rm broplatform/bro:4.0.0 zeek --version
zeek version 4.0.0
ghost commented 3 years ago

Thank you! Works like this. But why can't run correctly on docker-compose.yml?

zeek:
    depends_on:
      - filebeat
    image: 'broplatform/bro:${BRO}'
    container_name: zeek_new
    volumes:
      - ./pcap:/pcap
      - ./zeek/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek
    networks:
      - elastic
JustinAzoff commented 3 years ago

the container doesn't do anything by default.. so without being told to listen on an interface or read a pcap, it's just going to exit immediately.

ghost commented 3 years ago

Thank you Justin! What command show I run then?

JustinAzoff commented 3 years ago

well.. what are you trying to do exactly? I see you are mounting a pcap volume into the container. Does that contain a pcap you are trying to read? If so, you'd set the command to something like zeek local -r /pcap/whatever.pcap. You probably would need to adjust some things so that the logs end up where filebeat is looking for them.