From a4076c92c09d9f4cf76ceb315e0c16be250d7a90 Mon Sep 17 00:00:00 2001
From: openeuler_bot <zhaiwenjie1@huawei.com>
Date: Wed, 17 Sep 2025 00:03:32 +0000
Subject: [PATCH] 24.03-lts-sp2 update suricata to 8.0.1

---
 .../suricata/8.0.1/24.03-lts-sp2/Dockerfile   | 196 ++++++++++++++++++
 .../8.0.1/24.03-lts-sp2/entrypoint.sh         |  66 ++++++
 .../8.0.1/24.03-lts-sp2/suricata.logrotate    |  10 +
 .../suricata/8.0.1/24.03-lts-sp2/update.yaml  |   1 +
 Others/suricata/README.md                     |   4 +-
 Others/suricata/doc/image-info.yml            |   1 +
 Others/suricata/meta.yml                      |   4 +-
 7 files changed, 279 insertions(+), 3 deletions(-)
 create mode 100644 Others/suricata/8.0.1/24.03-lts-sp2/Dockerfile
 create mode 100644 Others/suricata/8.0.1/24.03-lts-sp2/entrypoint.sh
 create mode 100644 Others/suricata/8.0.1/24.03-lts-sp2/suricata.logrotate
 create mode 100644 Others/suricata/8.0.1/24.03-lts-sp2/update.yaml

diff --git a/Others/suricata/8.0.1/24.03-lts-sp2/Dockerfile b/Others/suricata/8.0.1/24.03-lts-sp2/Dockerfile
new file mode 100644
index 00000000..d7af835e
--- /dev/null
+++ b/Others/suricata/8.0.1/24.03-lts-sp2/Dockerfile
@@ -0,0 +1,196 @@
+ARG BASE=openeuler/openeuler:24.03-lts-sp2
+
+FROM ${BASE} AS builder
+ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
+ARG TARGETARCH
+ARG BUILDARCH
+ARG LIBPRELUDE_VERSION=5.2.0-11
+
+RUN dnf -y install \
+    autoconf \
+    automake \
+    cargo \
+    diffutils \
+    dpdk-devel \
+    elfutils-libelf-devel \
+    file \
+    file-devel \
+    gcc \
+    gcc-c++ \
+    git \
+    hiredis-devel \
+    jansson-devel \
+    jq \
+    kmod \
+    lua-devel \
+    libbpf-devel \
+    libtool \
+    libyaml-devel \
+    libnfnetlink-devel \
+    libnetfilter_queue-devel \
+    libnet-devel \
+    libcap-ng-devel \
+    libevent-devel \
+    libmaxminddb-devel \
+    libpcap-devel \
+    libtool \
+    lz4-devel \
+    make \
+    nspr-devel \
+    nss-devel \
+    nss-softokn-devel \
+    numactl-devel \
+    pcre2-devel \
+    pkgconfig \
+    python3-devel \
+    python3-yaml \
+    rust \
+    wget \
+    which \
+    zlib-devel
+
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        BUILDARCH="x86_64"; \
+    elif [ "$TARGETARCH" = "arm64" ]; then \
+        BUILDARCH="aarch64"; \
+    fi; \
+    wget https://repo.oepkgs.net/openeuler/rpm/openEuler-24.03-LTS/extras/${BUILDARCH}/Packages/l/libprelude-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    yum install -y libprelude-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    rm -f libprelude-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm
+
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        BUILDARCH="x86_64"; \
+    elif [ "$TARGETARCH" = "arm64" ]; then \
+        BUILDARCH="aarch64"; \
+    fi; \
+    wget https://repo.oepkgs.net/openeuler/rpm/openEuler-24.03-LTS/extras/${BUILDARCH}/Packages/l/libprelude-devel-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    yum install -y libprelude-devel-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    rm -f libprelude-devel-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm
+
+RUN cargo install cbindgen
+
+ENV PATH=/root/.cargo/bin:$PATH
+
+RUN if [ "$(arch)" = "x86_64" ]; then \
+    dnf -y install hyperscan; \
+fi
+
+ARG VERSION=8.0.1
+
+WORKDIR /src
+
+RUN curl -OL https://www.openinfosecfoundation.org/download/suricata-${VERSION}.tar.gz; \
+    tar zxf suricata-${VERSION}.tar.gz
+
+WORKDIR /src/suricata-${VERSION}
+
+RUN ./configure \
+    --prefix=/usr \
+    --disable-shared \
+    --disable-gccmarch-native \
+    --enable-lua \
+    --enable-nfqueue \
+    --enable-hiredis \
+    --enable-geoip \
+    --enable-ebpf \
+    --enable-dpdk
+
+RUN make && make install install-conf DESTDIR=/fakeroot
+
+
+FROM ${BASE} AS runner
+ARG TARGETARCH
+ARG BUILDARCH
+ARG LIBPRELUDE_VERSION=5.2.0-11
+
+RUN dnf -y update && \
+    dnf -y install \
+    cronie \
+    dpdk \
+    elfutils-libelf \
+    file \
+    findutils \
+    hiredis \
+    iproute \
+    jansson \
+    kmod \
+    lua-libs \
+    libbpf \
+    libyaml \
+    libnfnetlink \
+    libnetfilter_queue \
+    libnet \
+    libcap-ng \
+    libevent \
+    libmaxminddb \
+    libpcap \
+    logrotate \
+    lz4 \
+    net-tools \
+    nss \
+    nss-softokn \
+    numactl \
+    pcre2 \
+    procps-ng \
+    python3 \
+    python3-yaml \
+    tcpdump \
+    wget \
+    which \
+    zlib && \
+    if [ "$(arch)" = "x86_64" ]; then dnf -y install hyperscan; fi && \
+    dnf clean all && \
+    find /etc/logrotate.d -type f -not -name suricata -delete
+
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        BUILDARCH="x86_64"; \
+    elif [ "$TARGETARCH" = "arm64" ]; then \
+        BUILDARCH="aarch64"; \
+    fi; \
+    wget https://repo.oepkgs.net/openeuler/rpm/openEuler-24.03-LTS/extras/${BUILDARCH}/Packages/l/libprelude-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    yum install -y libprelude-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    rm -f libprelude-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm
+
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        BUILDARCH="x86_64"; \
+    elif [ "$TARGETARCH" = "arm64" ]; then \
+        BUILDARCH="aarch64"; \
+    fi; \
+    wget https://repo.oepkgs.net/openeuler/rpm/openEuler-24.03-LTS/extras/${BUILDARCH}/Packages/l/libprelude-devel-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    yum install -y libprelude-devel-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm && \
+    rm -f libprelude-devel-${LIBPRELUDE_VERSION}.${BUILDARCH}.rpm
+
+COPY --from=builder /fakeroot /
+
+RUN mkdir -p /var/log/suricata /var/run/suricata /var/lib/suricata
+
+COPY /update.yaml /etc/suricata/update.yaml
+COPY /suricata.logrotate /etc/logrotate.d/suricata
+
+RUN suricata-update update-sources && \
+    suricata-update enable-source oisf/trafficid && \
+    suricata-update --no-test --no-reload && \
+    /usr/bin/suricata -V
+
+RUN useradd --system --create-home suricata && \
+    chown -R suricata:suricata /etc/suricata && \
+    chown -R suricata:suricata /var/log/suricata && \
+    chown -R suricata:suricata /var/lib/suricata && \
+    chown -R suricata:suricata /var/run/suricata && \
+    chown -R suricata:suricata /usr/etc/suricata && \
+    chown -R suricata:suricata /usr/var/log/suricata && \
+    chown -R suricata:suricata /usr/var/lib/suricata && \
+    chown -R suricata:suricata /usr/var/run/suricata && \
+    cp -a /etc/suricata /etc/suricata.dist && \
+    chmod 600 /etc/logrotate.d/suricata
+
+VOLUME /var/log/suricata
+VOLUME /var/lib/suricata
+VOLUME /var/run/suricata
+VOLUME /etc/suricata
+
+COPY --chown=suricata:suricata /entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+RUN /usr/bin/suricata --build-info
\ No newline at end of file
diff --git a/Others/suricata/8.0.1/24.03-lts-sp2/entrypoint.sh b/Others/suricata/8.0.1/24.03-lts-sp2/entrypoint.sh
new file mode 100644
index 00000000..7eada8db
--- /dev/null
+++ b/Others/suricata/8.0.1/24.03-lts-sp2/entrypoint.sh
@@ -0,0 +1,66 @@
+#! /bin/sh
+
+set -e
+
+fix_perms() {
+    if [[ "${PGID}" ]]; then
+        groupmod -o -g "${PGID}" suricata
+    fi
+
+    if [[ "${PUID}" ]]; then
+        usermod -o -u "${PUID}" suricata
+    fi
+
+    chown -R suricata:suricata /etc/suricata
+    chown -R suricata:suricata /var/lib/suricata
+    chown -R suricata:suricata /var/log/suricata
+    chown -R suricata:suricata /var/run/suricata
+}
+
+for src in /etc/suricata.dist/*; do
+    filename=$(basename ${src})
+    dst="/etc/suricata/${filename}"
+    if ! test -e "${dst}"; then
+        echo "Creating ${dst}."
+        cp -a "${src}" "${dst}"
+    fi
+done
+
+# If the first command does not look like argument, assume its a
+# command the user wants to run. Normally I wouldn't do this.
+if [ $# -gt 0 -a "${1:0:1}" != "-" ]; then
+    exec $@
+fi
+
+run_as_user="yes"
+
+check_for_cap() {
+    echo -n "Checking for capability $1: "
+    if getpcaps 0 2>&1 | grep -q "$1"; then
+        echo "yes"
+        return 0
+    else
+        echo "no"
+        return 1
+    fi
+}
+
+if ! check_for_cap sys_nice; then
+    echo "Warning: no sys_nice capability, use --cap-add sys_nice"
+    run_as_user="no"
+fi
+if ! check_for_cap net_admin; then
+    echo "Warning: no net_admin capability, use --cap-add net_admin"
+    run_as_user="no"
+fi
+
+ARGS=""
+
+if [[ "${run_as_user}" != "yes" ]]; then
+    echo "Warning: running as root due to missing capabilities" > /dev/stderr
+else
+    fix_perms
+    ARGS="${ARGS} --user suricata --group suricata"
+fi
+
+exec /usr/bin/suricata ${ARGS} ${SURICATA_OPTIONS} $@
\ No newline at end of file
diff --git a/Others/suricata/8.0.1/24.03-lts-sp2/suricata.logrotate b/Others/suricata/8.0.1/24.03-lts-sp2/suricata.logrotate
new file mode 100644
index 00000000..10f36c48
--- /dev/null
+++ b/Others/suricata/8.0.1/24.03-lts-sp2/suricata.logrotate
@@ -0,0 +1,10 @@
+/var/log/suricata/*.log /var/log/suricata/*.json {
+    daily
+    missingok
+    rotate 3
+    nocompress
+    sharedscripts
+    postrotate
+        suricatasc -c reopen-log-files
+    endscript
+}
\ No newline at end of file
diff --git a/Others/suricata/8.0.1/24.03-lts-sp2/update.yaml b/Others/suricata/8.0.1/24.03-lts-sp2/update.yaml
new file mode 100644
index 00000000..31ec657c
--- /dev/null
+++ b/Others/suricata/8.0.1/24.03-lts-sp2/update.yaml
@@ -0,0 +1 @@
+reload-command: suricatasc -c reload-rules
\ No newline at end of file
diff --git a/Others/suricata/README.md b/Others/suricata/README.md
index a415678c..76da700d 100644
--- a/Others/suricata/README.md
+++ b/Others/suricata/README.md
@@ -17,6 +17,7 @@ the Open Information Security Foundation ([OISF](https://oisf.net/)). Suricata i
 The tag of each suricata docker image is consist of the version of suricata and the version of basic image. The details are as follows
 | Tags | Currently |  Architectures|
 |--|--|--|
+|[8.0.1-oe2403sp2](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Others/suricata/8.0.1/24.03-lts-sp2/Dockerfile) | suricata 8.0.1 on openEuler 24.03-LTS-SP2 | amd64, arm64 |
 |[7.0.8-oe2403lts](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Others/suricata/7.0.8/24.03-lts/Dockerfile)| suricata 7.0.8 on openEuler 24.03-LTS | amd64, arm64 |
 
 
@@ -74,5 +75,4 @@ In this usage, users can select the corresponding `{Tag}`  based on their requir
   ```
 
 # Question and answering
-If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
-
+If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Others/suricata/doc/image-info.yml b/Others/suricata/doc/image-info.yml
index cf185d33..cfb84825 100644
--- a/Others/suricata/doc/image-info.yml
+++ b/Others/suricata/doc/image-info.yml
@@ -11,6 +11,7 @@ tags: |
 
   |    Tag   |  Currently  |   Architectures  |
   |----------|-------------|------------------|
+  |[8.0.1-oe2403sp2](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Others/suricata/8.0.1/24.03-lts-sp2/Dockerfile) | suricata 8.0.1 on openEuler 24.03-LTS-SP2 | amd64, arm64 |
   |[7.0.8-oe2403lts](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Others/suricata/7.0.8/24.03-lts/Dockerfile)| suricata 7.0.8 on openEuler 24.03-LTS | amd64, arm64 |
 
 download: |
diff --git a/Others/suricata/meta.yml b/Others/suricata/meta.yml
index e2bf74da..ca60df8d 100644
--- a/Others/suricata/meta.yml
+++ b/Others/suricata/meta.yml
@@ -1,4 +1,6 @@
 7.0.8-oe2403lts:
   path: 7.0.8/24.03-lts/Dockerfile
 8.0.0-oe2403sp1:
-  path: 8.0.0/24.03-lts-sp1/Dockerfile
\ No newline at end of file
+  path: 8.0.0/24.03-lts-sp1/Dockerfile
+8.0.1-oe2403sp2:
+  path: 8.0.1/24.03-lts-sp2/Dockerfile
\ No newline at end of file
-- 
Gitee