feat: full-stack Docker Compose integration tests
- 4-container stack: ClickHouse, platform (Rocky 9), bot-detector, dashboard - Platform builds sentinel on Rocky (CGO+libpcap native), correlator static - mod-reqin-log compiled with apxs on Rocky (matching RPM build target) - ClickHouse init script patches credentials for test env (sed-based) - 8-phase test runner: schema, traffic gen, pipeline, dashboard API, bot-detector, sentinel - All 13 checks pass, 3 non-blocking warnings (empty dicts, log paths) SQL schema fixes discovered during integration: - 02_dictionaries: IPv6CIDR → String (not a valid ClickHouse type) - 03_anubis_tables: dict_anubis_ua missing has_ip/rule_id/category attrs - 03_anubis_tables: dict_anubis_country FLAT() → COMPLEX_KEY_HASHED() (String key) - 09_audit_table: CODEC before DEFAULT → DEFAULT before CODEC Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
toto
97
tests/integration/platform/Dockerfile
Normal file
97
tests/integration/platform/Dockerfile
Normal file
@ -0,0 +1,97 @@
|
||||
# =============================================================================
|
||||
# Platform container — Rocky Linux 9
|
||||
# Runs: Apache (HTTPS) + mod-reqin-log + sentinel + correlator
|
||||
#
|
||||
# Multi-stage:
|
||||
# 1. go-builder — compile correlator (static, no CGO) on golang image
|
||||
# 2. platform — Rocky Linux 9: builds sentinel (CGO+libpcap), mod-reqin-log,
|
||||
# installs Apache, runs everything
|
||||
#
|
||||
# sentinel is compiled on Rocky so it links against the same libpcap as runtime.
|
||||
# This mirrors RPM packaging where build and target are the same distro.
|
||||
# =============================================================================
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Stage 1: Build correlator (static binary, no CGO — distro-independent)
|
||||
# ---------------------------------------------------------------------------
|
||||
FROM golang:1.24 AS go-builder
|
||||
|
||||
WORKDIR /src
|
||||
COPY go.work go.work.sum* ./
|
||||
COPY shared/go/ja4common/ shared/go/ja4common/
|
||||
COPY services/correlator/ services/correlator/
|
||||
COPY services/sentinel/ services/sentinel/
|
||||
|
||||
RUN cd services/correlator && \
|
||||
CGO_ENABLED=0 go build -ldflags="-s -w" -o /out/correlator ./cmd/logcorrelator
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Stage 2: Rocky Linux 9 — build sentinel + mod-reqin-log, then run everything
|
||||
# ---------------------------------------------------------------------------
|
||||
FROM rockylinux:9
|
||||
|
||||
# Install build deps + runtime deps
|
||||
RUN dnf install -y --allowerasing \
|
||||
httpd httpd-devel mod_ssl \
|
||||
apr-devel apr-util-devel \
|
||||
gcc make redhat-rpm-config \
|
||||
libpcap \
|
||||
golang \
|
||||
procps-ng curl \
|
||||
&& dnf install -y --enablerepo=crb libpcap-devel \
|
||||
&& dnf clean all
|
||||
|
||||
# -- Build sentinel on Rocky (CGO + libpcap from Rocky repos) ---------------
|
||||
COPY go.work go.work.sum* /tmp/sentinel-build/
|
||||
COPY shared/go/ja4common/ /tmp/sentinel-build/shared/go/ja4common/
|
||||
COPY services/sentinel/ /tmp/sentinel-build/services/sentinel/
|
||||
COPY services/correlator/ /tmp/sentinel-build/services/correlator/
|
||||
RUN cd /tmp/sentinel-build/services/sentinel && \
|
||||
CGO_ENABLED=1 go build -ldflags="-s -w" -o /usr/local/bin/sentinel ./cmd/ja4sentinel && \
|
||||
rm -rf /tmp/sentinel-build /root/go
|
||||
|
||||
# -- Build mod-reqin-log from source -----------------------------------------
|
||||
COPY services/mod-reqin-log/src/ /tmp/mod-reqin-log/src/
|
||||
COPY services/mod-reqin-log/Makefile /tmp/mod-reqin-log/Makefile
|
||||
RUN cd /tmp/mod-reqin-log && make all && \
|
||||
cp modules/mod_reqin_log.so /usr/lib64/httpd/modules/ 2>/dev/null || \
|
||||
cp build/.libs/mod_reqin_log.so /usr/lib64/httpd/modules/ && \
|
||||
rm -rf /tmp/mod-reqin-log
|
||||
|
||||
# -- Copy correlator from builder (static binary, no deps) -------------------
|
||||
COPY --from=go-builder /out/correlator /usr/local/bin/correlator
|
||||
|
||||
# -- Create runtime directories ----------------------------------------------
|
||||
RUN mkdir -p /var/run/logcorrelator \
|
||||
/var/log/logcorrelator \
|
||||
/var/log/ja4sentinel \
|
||||
/etc/logcorrelator \
|
||||
/etc/ja4sentinel
|
||||
|
||||
# -- Correlator config -------------------------------------------------------
|
||||
COPY tests/integration/platform/correlator.yml /etc/logcorrelator/correlator.yml
|
||||
|
||||
# -- Sentinel config ----------------------------------------------------------
|
||||
COPY tests/integration/platform/sentinel.yml /etc/ja4sentinel/config.yml
|
||||
|
||||
# -- Apache config (HTTPS + mod-reqin-log) ------------------------------------
|
||||
COPY tests/integration/platform/httpd-integration.conf /etc/httpd/conf.d/integration.conf
|
||||
|
||||
# -- Generate self-signed TLS certificate -------------------------------------
|
||||
RUN openssl req -x509 -nodes -days 365 \
|
||||
-subj "/CN=platform.test" \
|
||||
-newkey rsa:2048 \
|
||||
-keyout /etc/pki/tls/private/localhost.key \
|
||||
-out /etc/pki/tls/certs/localhost.crt
|
||||
|
||||
# -- Simple health endpoint for Apache ---------------------------------------
|
||||
RUN mkdir -p /var/www/html && \
|
||||
echo '{"status":"ok"}' > /var/www/html/health
|
||||
|
||||
# -- Entrypoint (manages all processes) --------------------------------------
|
||||
COPY tests/integration/platform/entrypoint.sh /entrypoint.sh
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
EXPOSE 80 443
|
||||
|
||||
CMD ["/entrypoint.sh"]
|
||||
Reference in New Issue
Block a user