fix: tests intégration matrix — procps-ng, varnish h2, hitch ALPN, pgrep→ps

- Ajout de procps-ng dans les 4 Dockerfiles runtime (ps/pgrep disponibles) - Remplacement de pgrep par ps -C dans tous les run-tests.sh - Correction entrypoint nginx-varnish : pgrep nginx → cat nginx.pid (exit 127) - Activation HTTP/2 dans Varnish : ajout de -p feature=+http2 dans les entrypoints nginx-varnish et hitch-varnish - Restauration ALPN h2,http/1.1 dans hitch.conf (varnish supporte maintenant h2) - Correction healthcheck hitch-varnish : curl sans --http1.1 (h2 fonctionnel) - Correction requêtes phase_verify : http_logs_raw → http_logs, colonnes correctes - Correction writer clickhouse.go : noms JSON alignés avec la MV (ip_meta_*, tls_sni…) - Fix toStartOfSecond(DateTime) → toStartOfSecond(toDateTime64(col, 3)) - Retrait du SKIP el8/nginx-varnish (varnish s'installe bien sur AlmaLinux 8) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-12 01:29:01 +02:00
parent 3b047b680a
commit dc6ffd6474
25 changed files with 431 additions and 345 deletions
--- a/tests/integration/apache/platform/Dockerfile
+++ b/tests/integration/apache/platform/Dockerfile
@ -10,10 +10,25 @@
 # Le hook TC ingress capture TCP SYN + TLS ClientHello sur eth0.
 # =============================================================================

-# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
-FROM golang:1.24-bookworm AS go-builder
+# ARG global : doit être déclaré avant tous les FROM
+ARG BASE_IMAGE=rockylinux:9

-RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
+# ── Stage 1 : build ja4ebpf (Rocky Linux, même toolchain que la prod) ─────────
+FROM rockylinux:9 AS go-builder
+
+# libbpf-devel est dans le dépôt CRB (CodeReady Builder) de Rocky Linux 9
+RUN dnf install -y epel-release dnf-plugins-core && \
+    dnf config-manager --enable crb && \
+    dnf install -y \
+        golang \
+        clang \
+        llvm \
+        libbpf-devel \
+        kernel-headers \
+        bpftool \
+        make \
+        && \
+    dnf clean all

 WORKDIR /build
 COPY go.work go.work.sum* ./
@ -30,11 +45,10 @@ RUN GOWORK=off go generate ./internal/loader/ && \
    go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/

 # ── Stage 2 : runtime Apache HTTPD + ja4ebpf ─────────────────────────────────
-ARG BASE_IMAGE=rockylinux:9
 FROM ${BASE_IMAGE}

 RUN dnf install -y epel-release 2>/dev/null; \
-    dnf install -y httpd mod_ssl mod_http2 openssl curl && \
+    dnf install -y --allowerasing procps-ng httpd mod_ssl mod_http2 openssl curl && \
    dnf clean all

 COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
--- a/tests/integration/apache/platform/entrypoint.sh
+++ b/tests/integration/apache/platform/entrypoint.sh
@ -13,13 +13,16 @@ fi
 # Créer les répertoires de run nécessaires
 mkdir -p /run/httpd /var/log/httpd

-# Démarrer ja4ebpf en arrière-plan
+# Démarrer ja4ebpf en arrière-plan (optionnel : ne bloque pas le démarrage)
 /usr/local/bin/ja4ebpf -config /etc/ja4ebpf/config.yml &
 JA4_PID=$!
 echo "[entrypoint] ja4ebpf démarré (PID $JA4_PID)"

-# Attendre que ja4ebpf charge ses programmes eBPF
-sleep 2
+# Laisser 3s pour détecter un échec immédiat (ex: verifier eBPF)
+sleep 3
+if ! kill -0 "$JA4_PID" 2>/dev/null; then
+    echo "[entrypoint] ⚠ ja4ebpf s'est arrêté immédiatement — mode dégradé (Apache seul)"
+fi

 # Démarrer Apache HTTPD en foreground
 echo "[entrypoint] Démarrage d'Apache HTTPD..."
--- a/tests/integration/apache/platform/ja4ebpf.yml
+++ b/tests/integration/apache/platform/ja4ebpf.yml
@ -1,22 +1,16 @@
 # Configuration ja4ebpf — stack Apache
-# Fichier monté dans /etc/ja4ebpf/config.yml
-
 interface: eth0
-
-# Cibles uprobe : httpd lie OpenSSL via libssl.so.
-# Sur RHEL/Rocky, le binaire est /usr/sbin/httpd.
-targets:
-  - binary: /usr/sbin/httpd
-  - binary: /usr/lib64/httpd/modules/mod_ssl.so
+ssl_lib_path: "/usr/lib64/libssl.so.3"

 clickhouse:
-  addr: "${JA4EBPF_CH_ADDR:-clickhouse:9000}"
-  database: ja4_logs
-  table: http_logs_raw
-  batch_size: 200
-  flush_interval_ms: 500
+  dsn: "clickhouse://default:@clickhouse:9000/ja4_logs"
+  batch_size: 100
+  flush_secs: 1

-session:
+correlation:
  timeout_ms: 500
-  slowloris_timeout_s: 10
-  gc_interval_ms: 100
+  slowloris_ms: 10000
+
+log:
+  level: "info"
+  format: "json"
--- a/tests/integration/apache/run-tests.sh
+++ b/tests/integration/apache/run-tests.sh
@ -49,7 +49,7 @@ stack_verify_extra() {
    # Vérifie que ja4ebpf tourne
    local ja4_pid
    ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
-        pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
+        ps -C ja4ebpf -o pid= 2>/dev/null | head -1 || echo "")
    if [ -n "$ja4_pid" ]; then
        pass "Processus ja4ebpf actif (PID $ja4_pid)"
    else
@ -59,7 +59,7 @@ stack_verify_extra() {
    # Vérifie que httpd tourne
    local httpd_count
    httpd_count=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
-        pgrep -c httpd 2>/dev/null || echo "0")
+        ps -C httpd -o pid= 2>/dev/null | wc -l || echo "0")
    if [ "${httpd_count:-0}" -gt 0 ] 2>/dev/null; then
        pass "Apache HTTPD actif ($httpd_count processus httpd)"
    else
@ -68,7 +68,7 @@ stack_verify_extra() {

    # Vérifie les données L7 capturées via uprobe httpd
    local l7_count
-    l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
+    l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE method != ''" || echo "0")
    if [ "${l7_count:-0}" -gt 0 ] 2>/dev/null; then
        pass "L7 capturé via uprobe httpd : $l7_count requêtes HTTP"
    else
@ -78,16 +78,16 @@ stack_verify_extra() {

    # Vérifie JA4 fingerprint
    local ja4_sample
-    ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
+    ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs WHERE ja4 != '' LIMIT 1" || echo "")
    if [ -n "$ja4_sample" ]; then
        pass "JA4 fingerprint capturé : $ja4_sample"
    else
        warn "JA4 fingerprint vide — TC ingress hook peut-être non fonctionnel"
    fi

-    # Vérifie le SNI capturé
+    # Vérifie le SNI capturé (colonne tls_sni dans http_logs)
    local sni_count
-    sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
+    sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE tls_sni != ''" || echo "0")
    if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
        pass "SNI capturé dans $sni_count enregistrements"
    else
@ -96,7 +96,7 @@ stack_verify_extra() {

    # Vérifie HTTP port 80 (trafic en clair — kprobe tcp_recvmsg)
    local plain_count
-    plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = 0 AND method != ''" 2>/dev/null || echo "0")
+    plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE correlated = 0 AND method != ''" || echo "0")
    if [ "${plain_count:-0}" -gt 0 ] 2>/dev/null; then
        pass "HTTP en clair capturé : $plain_count requêtes (kprobe tcp_recvmsg)"
    else