Skip to content

docker: add multi-platform Alpine image, CI pipeline, and test suite#461

Open
ssam18 wants to merge 1 commit into
snort3:masterfrom
ssam18:feature/multi-platform-docker-image
Open

docker: add multi-platform Alpine image, CI pipeline, and test suite#461
ssam18 wants to merge 1 commit into
snort3:masterfrom
ssam18:feature/multi-platform-docker-image

Conversation

@ssam18
Copy link
Copy Markdown

@ssam18 ssam18 commented Apr 7, 2026
edited
Loading

Closes #460.

What this adds

Dockerfile four-stage build producing a minimal (~30–50 MB) Alpine runtime image with no compiler, headers, or build tools in the final layer.

  • Stage 1: build tools and -dev headers (shared across all builder stages)
  • Stage 2: LuaJIT (v2.1 branch, avoids CVE-2024-25176/25177/25178 in Alpine's packaged r0) and libdaq built from source
  • Stage 3: Snort 3 built and installed; unit tests run via make check build fails if any test fails
  • Stage 4: minimal runtime with only the shared libraries Snort needs

.github/workflows/docker.yml CI pipeline with one job per platform running in parallel. Each job follows this exact sequence and any failure blocks the next step:

  1. docker build: unit tests run here inside the Dockerfile
  2. Functional tests (test-docker.sh sections A B C, T01–T36)
  3. Trivy vulnerability + secret scan (T38–T40) fails on CRITICAL/HIGH
  4. Push to GHCR only if all tests pass

After all five platform jobs succeed, a manifest merge job combines the per-platform digests into a single multi-arch latest tag.

scripts/test-docker.sh 40 integration tests across five sections:

Section Tests Coverage
A T01–T08 Image metadata, entrypoint, labels, volumes
B T09–T24 Binary presence, ldd, DAQ modules, missing .so
C T25–T36 Config validation, pcap replay, alert rules, volume permissions
D T37 Live NIC (opt-in via --live)
E T38–T40 Trivy CVE + secret scan

scripts/trivy-scan.sh standalone scan script; auto-installs Trivy if not present, outputs table/JSON/SARIF reports.

Platform support

Platform Pattern engine Notes
linux/amd64 Vectorscan + LuaJIT native build, full performance
linux/arm64 Vectorscan + LuaJIT native build, full performance
linux/ppc64le Vectorscan, no LuaJIT no upstream LuaJIT PPC64 backend
linux/arm/v7 AC-BNFA + LuaJIT depends on #459 (SIGBUS fix for 32-bit ARM)
linux/386 AC-BNFA + LuaJIT Vectorscan not available for 32-bit x86

amd64 and arm64 use native GitHub runners; ppc64le, arm/v7, and 386 use QEMU.

Testing

All 40 tests pass on linux/amd64, linux/arm64, and linux/arm/v7. Unit tests (162 tests via CppUTest) pass on all three platforms with zero failures.

The arm/v7 functional build depends on #459 being merged first, or SNORT_REPO/SNORT_BRANCH build args pointing to a branch that includes that fix.

@ssam18
docker: add multi-platform Alpine image, CI pipeline, and test suite
06bda16 
Adds everything needed to build, test, and publish a minimal Snort 3
Docker image across five architectures.
Closes snort3#460
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add official multi-platform Docker image for Snort 3 on Alpine

1 participant

@ssam18