oxidized 0.34.3 → 0.36.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a87e3af9faae64551e102d6cdc54df2e45faabca7ba632ca08ef5d75d15de049
-  data.tar.gz: 1b53f1e19450f791ec11cdd61fe228764374d16aa41c1fef2c246c63f1cbaa4e
+  metadata.gz: f594c7328a0f47ff8623d8a025df44224af1e7addc71c57bd0c37ab2285c4f8f
+  data.tar.gz: 837bb841353c080c93235ca4a46095d42335fa8e05623f3e6f7ef5fc9cc67a44
 SHA512:
-  metadata.gz: 37b6c4f96885e86b5780ad61ce64e8f51292ddb2a33ab794cae270101f436cbaad3c684b7262b01197a61e93e8d45257dae2ecb3b080fb6befd9f93162778515
-  data.tar.gz: 5b7739c4e7fa07904c94ad241d9a95c636d7774c517f1235db893192c0df938c8c91bd2d6efd161eaba7ea35cbbc7dd129a275d83f3d58386ca986126ef9adcf
+  metadata.gz: ce194d0b6353b929bdb14514d835a1500d846c50491d30782d89c1c3ccc2a6e0f0cdc34aa0b9385c8ca2ce82f0c759a917f252076fc8675169d5eb40694bc3dc
+  data.tar.gz: 21c716e53c0e391bfefa617e0a3bc68a23a14a04dce3d508ca82c127f993ea909a27799901d6ad3c3e0bb1625d749bae73882f2c8e2fcb8f0b400aca036df5ab

data/.coderabbit.yaml

@@ -0,0 +1,21 @@
+reviews:
+  auto_review:
+    enabled: false
+    auto_incremental_review: false
+
+  commit_status: false
+  review_status: false
+  high_level_summary: false
+  suggested_labels: false
+  suggested_reviewers: false
+  changed_files_summary: false
+  poem: false
+  sequence_diagrams: false
+  estimate_code_review_effort: false
+  assess_linked_issues: false
+  related_issues: false
+  in_progress_fortune: false
+
+
+chat:
+  auto_reply: false

data/.github/workflows/codeql.yml

@@ -40,11 +40,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -71,6 +71,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
       with:
         category: "/language:${{matrix.language}}"

data/.github/workflows/publishdocker.yml

@@ -3,42 +3,115 @@ on:
   push:
     branches: [ "master" ]
     tags: [ "[0-9]+.[0-9]+.[0-9]+" ]
+env:
+  REGISTRY_IMAGE: oxidized/oxidized
 
 jobs:
   build:
     if: github.repository_owner == 'ytti'
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+
     steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
 
-      - name: Define tags
+      - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
-          images: |
-            oxidized/oxidized
+          images: ${{ env.REGISTRY_IMAGE }}
           tags: |
             type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
             type=sha,prefix=master-
           flavor: |
             latest=true
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
-      - name: Build and push
-        uses: docker/build-push-action@v6
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v7
         with:
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          platforms: ${{ matrix.platform }}
+          tags: ${{ env.REGISTRY_IMAGE }}
+          labels: |
+            ${{ steps.meta.outputs.labels }}
+            org.opencontainers.image.ref.name=${{ steps.meta.outputs.version }}
           build-args: |
             BUILDKIT_CONTEXT_KEEP_GIT_DIR=true
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v7
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v8
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
+            type=sha,prefix=master-
+          flavor: |
+            latest=true
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}

data/.github/workflows/ruby.yml

@@ -19,14 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['3.1', '3.2', '3.3', '3.4', 'ruby-head']
+        ruby-version: ['3.0', '3.1', '3.2', '3.3', '3.4', 'ruby-head']
     continue-on-error: ${{ matrix.ruby-version == 'ruby-head' }}
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Ruby
-    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
-    # change this to (see https://github.com/ruby/setup-ruby#versioning):
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}

data/.github/workflows/stale.yml

@@ -12,7 +12,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           stale-issue-message: 'This issue is stale because it has been open 90 days with no activity.'
           stale-pr-message: 'This PR is stale because it has been open 90 days with no activity.'

data/.rubocop.yml

@@ -1,5 +1,9 @@
 inherit_from: .rubocop_todo.yml
 
+inherit_mode:
+  merge:
+    - Exclude
+
 plugins:
   - rubocop-rake
   - rubocop-minitest
@@ -24,7 +28,6 @@ Style/FrozenStringLiteralComment:
 
 Layout/LineLength:
   Enabled: true
-  IgnoreCopDirectives: false
   Max: 120
   # Too much models have long lines, which is unsafe to reduce without
   # having an existing model unit test.
@@ -66,8 +69,13 @@ Style/ConditionalAssignment:
 Style/FormatString:
   EnforcedStyle: percent
 
+Style/FileOpen:
+  Exclude:
+   - lib/oxidized/input/*.rb
+
 Style/FormatStringToken:
   EnforcedStyle: unannotated
+  AllowedMethods: ['metadata']
 
 Style/HashEachMethods:
   Enabled: true
@@ -81,6 +89,10 @@ Style/HashTransformKeys:
 Style/HashTransformValues:
   Enabled: true
 
+Style/OneClassPerFile:
+  Exclude:
+   - spec/**/*.rb
+
 Style/RegexpLiteral:
   EnforcedStyle: slashes
   AllowInnerSlashes: true
@@ -106,7 +118,7 @@ Metrics/AbcSize:
   Enabled: false
 
 Metrics/ClassLength:
-  Enabled: false
+  Max: 200
 
 Metrics/PerceivedComplexity:
   Enabled: false

data/.rubocop_todo.yml

@@ -1,11 +1,18 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2025-08-01 14:00:10 UTC using RuboCop version 1.79.1.
+# on 2026-03-31 11:49:52 UTC using RuboCop version 1.86.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
+# Offense count: 2
+# Configuration parameters: CountComments, Max, CountAsOne.
+Metrics/ClassLength:
+  Exclude:
+    - 'lib/oxidized/node.rb'
+    - 'lib/oxidized/output/git.rb'
+
 # Offense count: 1
 Style/ClassVars:
   Exclude:
@@ -19,7 +26,19 @@ Style/DoubleNegation:
   Exclude:
     - 'lib/oxidized/hook/exec.rb'
 
-# Offense count: 33
+# Offense count: 1
+Style/FileOpen:
+  Exclude:
+    - 'extra/syslog.rb'
+
+# Offense count: 2
+# Configuration parameters: AllowedClasses.
+Style/OneClassPerFile:
+  Exclude:
+    - 'lib/oxidized/input/telnet.rb'
+    - 'lib/oxidized/signals.rb'
+
+# Offense count: 32
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Style/SlicingWithRange:
   Enabled: false

data/CHANGELOG.md

@@ -4,13 +4,98 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.36.0 - 2026-03-31]
+### Release Notes
+The fortios model has been split into fortigate and fortios. You need the new fortigate model for FortiGate firewalls. Be sure to check the [Fortinet model notes](docs/Model-Notes/Fortinet.md) before upgrading.
+
+The SCP gem is now an optional dependency as it will rarely be used - you must install it if you need it. It is still included in the docker image.
+
+We may rework models in the future to clean up duplicated code (by using the macros or by inheriting from the Defacto model). To make sure your favorite model doesn’t break, please share [simulation files](/docs/DeviceSimulation.md) via issues or, preferably, pull requests, so we can detect when a change breaks a model.
+
+### Added
+- Support https mode, headers, and ssl verify for HTTP output (@bahirul)
+- String refinements: introduce `keep_lines` and `reject_lines` methods (@robertcheramy)
+- Support for storing configurations only on significant changes (@robertcheramy)
+- Add support for Ivanti Secure Connect ISA models (@candleflip)
+- smartbyte: new model for SmartByte switches (@freddy36)
+- Support multiple input (@robertcheramy)
+- apcaos model with SSH + SCP capabilities, deprecates apc_aos (@robertcheramy)
+- exalink model for specific Cisco ExaLink Fusion (formerly Exablaze) switches (@obol89)
+- source_node_transform hook, allows user to manipulate node data when loading from source (@ytti)
+- docker image: publish major version tag (e.g. `0`) in addition to full semver tag on releases (@infabo)
+- introduce the defacto model and macros for models (@ytti)
+
+### Changed
+- Refactored models: Use `keep_lines` and `reject_lines` in aosw, arubainstant, asa, efos, firelinuxos, fsos, ironware, mlnxos and perle (@robertcheramy)
+- Refactor SSH and SCP into a common class SSHBase. Fixes #3597 (@robertcheramy)
+- Modified models to support store mode on significant changes: ios, fortios, perle, ndms (@robertcheramy, @furriest)
+- fortios: model rewrite and split into fortios and fortigate. Fixes #3680 (@robertcheramy)
+- fortigate: Add PSU & SFP inventory (@robertcheramy)
+- fortigate: move var fortios_autoupdate (deprecated) to fortigate_autoupdate (@robertcheramy)
+- netgear: extended login and pager detection to add support for GS728TPv2 and GS752TPv2 (@weberc)
+- comware: Hide snmp secrets for Comware (@iriseden)
+- Aruba-CX : Hide secrets for Aruba-CX (@iriseden)
+
+### Fixed
+- VyOS: Only remove SNMP community, not route-maps. Fixes #3735 (@systeembeheerder)
+- apc_aos: set comment to "; " to match comments in config.ini (@robertcheramy)
+- h3c: fix overly permissive prompt regexp causing false matches. Fixes #3673 (@robertcheramy)
+- extra/device2yaml.rb: fix \r being removed at end of line (@robertcheramy)
+- perle: remove trailing \r (the device sends \r\r\n) (@robertcheramy)
+- Reintroduce support for Ruby 3.0. Fixes #3688 (@robertcheramy)
+- githubrepo: fix authentication with ssh-agent not working. Fixes #3420 (@robertcheramy)
+- fastiron: adjust prompt to account for stacks, remove time from stack output. Fixes #3106 (@ManoftheSea)
+- interval: fix fetching device configuration at oxidized start when interval is 0. Fixes #3746 (@tgr229)
+- voss: more cleanup of constantly changing values (fan & temp) for at least Extreme Networks 7520-48Y-8C-FabricEngine (8.10.5.0) (@irrwitzer42)
+- truenas: Added retry logic to use sudo for reading/dumping the configuration database if needed. Fixes #3767 (@neilschelly)
+- aoscx: update regex to include 'N/A' in FAN speed parsing (@solrac200, @robertcheramy)
+- nxos: show inventory for older models. Fixes #3779 (@scamp)
+
+## [0.35.0 - 2025-12-04]
+### Release Notes
+- VyOS now has it's own model and should be used for supported VyOS versions instead of the Vyatta model.
+- AosCX has been reworked and may break old OS versions. Submit an issue along with a YAML Simulation File if you encounter problems.
+- TiMOS (deprecated model) has been removed. Use SROS.
+- FortiOs will be reworked in release 0.36 (Issue #3680). Subscribe to the issue if you want to be informed and test the model before the release.
+- ~~Support for Ruby 3.1 will be discontinued in release 0.36 (Issue #3688) if no one objects.~~
+
+### Added
+- Allow setting timeout on per node basis. Closes #3612 (@ytti)
+- Added Vyos as individual model. Closes #3603 #3560 (@nicolasberens)
+- Add metadata to models. Closes #3249 (@robertcheramy)
+- perle: new model for console servers (@robertcheramy)
+- Introduce [conditional commands](/docs/Ruby-API.md#conditional-commands) (@robertcheramy)
+
+### Changed
+- tnsr: added simulation data for older versions (@Vantomas)
+- docker image: change default shell to bash. (@electrocret)
+- refactor suppression of ANSI escape codes into model.rb (use `clean :escape_codes` in your model. Updated cumulus, garderos, mlnxos and vyos. (@robertcheramy)
+- aoscx: rework handling of ANSI escape codes (@robertcheramy)
+- docker: build on arm64 natively. Closes #3665 (@robertcheramy)
+- docker image: move base image from phusion/baseimage to debian:trixie-slim (@robertcheramy)
+
+### Fixed
+- input/http: bracket IPv6 URI. Fixes #3620 (@ytti)
+- tnsr: fixed prompt regex, sometimes --More-- pager is misplaced on older versions (@ClumsyAdmin)
+- eatonnetwork: Update for firmware v2.2.0 #3634 (@thanegill)
+- input/http: Corrected pagination causing duplicated nodes. Fixes #3676 (@kquilliam)
+- many models: fix redundant regular expressions (@robertcheramy)
+- timos: remove deprecated model timos. Use sros. #3617 (@robertcheramy)
+- fsos: set terminal width to 0. Fixes #3576 (@robertcheramy)
+- aoscx: rework environmental data anonymization. Fixes #3568 (@robertcheramy, inspired by PR #3653 by @martadams89)
+- netgear: fix prompt issues caused by ANSI escape codes. Fixes #3287 (@robertcheramy)
+- remove redundant dependency on bundler producing a CI failure on ruby-head (@robertcheramy)
+- nxos: use "show inventory" when "show inventory all" is not supported. Fixes #3657 (@robertcheramy)
+- arubainstant: handle spaces/parentheses in AP names and add Zone column. Fixes #3611 (@iRomanyshyn, @robertcheramy)
+- core: fix "undefined method `[]' for nil" when only extensions: configured. Fixes: #3607 (@robertcheramy)
+
+
 ## [0.34.3 - 2025-08-05]
 This release fixes an issue preventing /node/show/<hostname> to work in oxidized-web.
 
 ### Fixed
 - Guarantee that node vars is a dict (Issue ytti/oxidized-web#365) (@ytti)
 
-
 ## [0.34.2 – 2025-08-01]
 This release mainly fixes a bug in input/scp that made ssh raise an error when
 closing a closed connection (Issue #3583).

data/Dockerfile

@@ -1,94 +1,102 @@
-FROM docker.io/phusion/baseimage:noble-1.0.2
-
-ENV DEBIAN_FRONTEND=noninteractive
+FROM docker.io/debian:trixie-slim
 
 ##### Place "static" commands at the beginning to optimize image size and build speed
-# remove default ubuntu user
-RUN userdel -r ubuntu
 
 # add non-privileged user
-ARG UID=30000
-ARG GID=$UID
-RUN groupadd -g "${GID}" -r oxidized && useradd -u "${UID}" -r -m -d /home/oxidized -g oxidized oxidized
+RUN groupadd -g "30000" -r oxidized && \
+    useradd -u "30000" -r -m -d /home/oxidized -g oxidized oxidized && \
+    chsh -s /bin/bash oxidized 
 
+# See PR #3637 - ruby runs /bin/sh and bash is whished for exec hooks
+RUN ln -sf /bin/bash /bin/sh
 
 ##### MSMTP - Sending emails
 # link config for msmtp for easier use.
 # /home/oxidized/.msmtprc is a symbolic link to /home/oxidized/.config/oxidized/.msmtprc
 # Create the files as the user oxidized
 RUN mkdir -p /home/oxidized/.config/oxidized/ && \
-    chmod -R ug=rwX,o= /home/oxidized/.config/ && \
     touch /home/oxidized/.config/oxidized/.msmtprc && \
-    chmod -R u=rw,go= /home/oxidized/.config/oxidized/.msmtprc && \
     ln -s /home/oxidized/.config/oxidized/.msmtprc /home/oxidized/ && \
-    chown -R oxidized:oxidized /home/oxidized/.config /home/oxidized/.msmtprc
+    chmod -R ug=rwX,o= /home/oxidized/.config/ && \
+    chown -R oxidized:oxidized /home/oxidized/
 
 # add runit services
 COPY extra/oxidized.runit /etc/service/oxidized/run
 COPY extra/auto-reload-config.runit /etc/service/auto-reload-config/run
 COPY extra/update-ca-certificates.runit /etc/service/update-ca-certificates/run
 
-# set up dependencies for the build process
-RUN apt-get -qy update \
-    && apt-get -qy upgrade \
-    && apt-get -qy --no-install-recommends install ruby \
-    # Build process of oxidized from git and git-tools in the container
-    git \
-    # Allow git send-email from docker image
-    git-email libmailtools-perl \
-    # Allow sending emails in the docker container
-    msmtp \
-    # Debuging tools inside the container
-    inetutils-telnet \
-    # Use ubuntu gems where possible
-    # Gems needed by oxidized
-    ruby-rugged ruby-slop ruby-psych \
-    ruby-net-telnet ruby-net-ssh ruby-net-ftp ruby-ed25519 \
-    # Gem dependencies for inputs
-    ruby-net-http-persistent ruby-mechanize \
-    # Gem dependencies for sources
-    ruby-sqlite3 ruby-mysql2 ruby-pg ruby-sequel ruby-gpgme\
-    # Gem dependencies for hooks
-    ruby-aws-sdk ruby-xmpp4r \
-    # Gems needed by oxidized-web
-    ruby-charlock-holmes ruby-haml ruby-htmlentities ruby-json \
-    puma ruby-sinatra ruby-sinatra-contrib \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# gems not available in ubuntu noble
-RUN gem install --no-document \
-    # dependencies for hooks
-    slack-ruby-client cisco_spark \
-    # dependencies for specific inputs
-    net-tftp \
-    # Net scp is needed in Version >= 4.1.0, which is not available in ubuntu
-    net-scp
-
-# Prepare the build of oxidized, copy our workig directory in the container
+# Prepare the build of oxidized, copy our working directory in the container
 COPY . /tmp/oxidized/
 WORKDIR /tmp/oxidized
 
-# Install gems which needs a build environment
-RUN apt-get -qy update && \
-    apt-get -qy install --no-install-recommends \
-                        build-essential ruby-dev && \
-    ##### X25519 (a.k.a. Curve25519) Elliptic Curve Diffie-Hellman
-    gem install x25519 && \
-    ##### build & install oxidized from the working repository
+# set up dependencies for the build process
+RUN set -eux; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    # no apt-get upgrade needed, as debian images are rebuilt on security issues
+    apt-get install -y --no-install-recommends \
+      # runit: lightweight service supervisor
+      # dumb-init: proper PID 1 signal handling
+      # gosu: run oxidized as the user oxidized
+      runit dumb-init gosu \
+      # Build tools
+      build-essential ruby-dev \
+      # Useful tools
+      openssh-client vim-tiny inetutils-telnet \
+      # Dependencies for /extra scripts
+      curl jq \
+      # Build process of oxidized from git and git-tools in the container
+      git \
+      # Allow git send-email from docker image
+      git-email libmailtools-perl \
+      # Allow sending emails in the docker container
+      msmtp \
+      # Use debian packaged gems where possible
+      # ruby and core gems needed by oxidized
+      ruby ruby-rugged ruby-slop \
+      # Gem dependencies for inputs
+      ruby-net-telnet ruby-net-ssh ruby-net-ftp ruby-ed25519 ruby-net-scp \
+      ruby-net-http-persistent ruby-mechanize \
+      # Gem dependencies for sources
+      ruby-sqlite3 ruby-mysql2 ruby-pg ruby-sequel ruby-gpgme\
+      # Gem dependencies for hooks
+      ruby-aws-sdk ruby-xmpp4r \
+      # Gems needed by oxidized-web
+      ruby-charlock-holmes ruby-haml ruby-htmlentities ruby-json \
+      puma ruby-sinatra ruby-sinatra-contrib \
+      # Gems needed by slack-ruby-client
+      ruby-faraday ruby-faraday-net-http ruby-faraday-multipart ruby-hashie \
+      # Gems needed by semantic logger
+      ruby-concurrent \
+    ; \
+    # build & install oxidized from the working repository
     # docker automated build gets shallow copy, but non-shallow copy cannot be unshallowed
-    git fetch --unshallow || true && \
-    rake install && \
-    # install oxidized-web
-    gem install oxidized-web --no-document && \
+    git fetch --unshallow || true; \
+    rake install; \
+    # install oxidized-web and gems not available in debian trixie
+    gem install --no-document --no-wrappers --conservative --minimal-deps \
+      oxidized-web \
+      # dependencies for hooks
+      slack-ruby-client cisco_spark \
+      # dependencies for specific inputs
+      net-tftp \
+      ##### X25519 (a.k.a. Curve25519) Elliptic Curve Diffie-Hellman
+      x25519 \
+    ; \
     # remove the packages we do not need.
-    apt-get -qy remove build-essential ruby-dev && \
-    apt-get -qy autoremove && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    apt-get remove -y build-essential ruby-dev; \
+    apt-get autoremove -y ; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*; \
+    find /var/lib/gems/*/cache -mindepth 1 -delete; \
+    rm -rf /tmp/oxidized;
 
-# clean up
 WORKDIR /
-RUN rm -rf /tmp/oxidized
 
 EXPOSE 8888/tcp
+
+# dumb-init handles PID 1 for proper signal forwarding (Ctrl-C, SIGTERM)
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+
+# runit supervises all services in /etc/service/
+CMD ["runsvdir", "-P", "/etc/service"]

data/README.md

@@ -73,8 +73,7 @@ Check out the [Oxidized TREX 2014 presentation](http://youtu.be/kBQ_CTUuqeU?t=3h
 ## Installation
 
 ### Debian and Ubuntu
-
-Debian "buster" or newer and Ubuntu 17.10 (artful) or newer are recommended. On Ubuntu, begin by enabling the `universe`
+Debian 12 "bookworm" or newer and Ubuntu 22.04 (Jammy Jellyfish) or newer are recommended. On Ubuntu, begin by enabling the `universe`
 repository (required for libssh2-1-dev):
 
 ```shell
@@ -84,7 +83,7 @@ add-apt-repository universe
 Install the dependencies:
 
 ```shell
-apt install ruby ruby-dev libsqlite3-dev libssl-dev pkg-config cmake libssh2-1-dev libicu-dev zlib1g-dev g++ libyaml-dev
+apt install ruby ruby-dev libsqlite3-dev libssl-dev pkg-config cmake libssh2-1-dev libicu-dev zlib1g-dev g++ libyaml-dev libzstd-dev
 ```
 
 Finally, install Oxidized:
@@ -101,7 +100,7 @@ gem install oxidized-script # Script-based input/output extensions
 ```
 
 ### Rocky Linux, Red Hat Enterprise Linux
-These instructions has been verified on Rocky Linux 9.3 and Fedora.
+These instructions has been verified on Rocky Linux 9, Rocky Linux 10 and Fedora.
 
 On Rocky Linux 9, you need to install/enable EPEL, CRB and Ruby 3.1:
 ```shell
@@ -129,7 +128,7 @@ gem install oxidized-script # Script-based input/output extensions
 ```
 
 ### FreeBSD
-These installation instructions have been tested on FreeBSD 14.2, but
+> :warning: These installation instructions have been tested on FreeBSD 14.2, but
 oxidized itself has not been tested on it.
 
 First install ruby and rubyXX-gems (Find out the name of the package with `pkg search gems`):

data/Rakefile

@@ -1,5 +1,6 @@
 require 'bundler/gem_tasks'
 require 'rake/testtask'
+require 'time'
 require_relative 'lib/oxidized/version'
 
 gemspec = Gem::Specification.load(Dir['*.gemspec'].first)
@@ -92,17 +93,34 @@ desc 'Build the container image with docker or podman'
 task :build_container do
   branch_name = %x(git rev-parse --abbrev-ref HEAD).chop.gsub '/', '_'
   sha_hash = %x(git rev-parse --short HEAD).chop
+  sha_hash_long = %x(git rev-parse HEAD).chop
   image_tag = "#{branch_name}-#{sha_hash}"
+  created_time = Time.now.iso8601
+
+  # Build-Args for consistent labels
+  build_args = [
+    "--label org.opencontainers.image.title=oxidized",
+    "--label org.opencontainers.image.description='Local build of Oxidized'",
+    "--label org.opencontainers.image.url=https://github.com/ytti/oxidized",
+    "--label org.opencontainers.image.source=https://github.com/ytti/oxidized",
+    "--label org.opencontainers.image.created=#{created_time}",
+    "--label org.opencontainers.image.ref.name=#{image_tag}",
+    "--label org.opencontainers.image.licenses=Apache-2.0",
+    "--label org.opencontainers.image.version=#{image_tag}",
+    "--label org.opencontainers.image.revision=#{sha_hash_long}",
+    "-t oxidized:#{image_tag}",
+    "-t oxidized:latest"
+  ].join(' ')
 
   # Prefer podman if available as it runs rootless
   if command_available?('podman')
-    sh "podman build -t oxidized:#{image_tag} -t oxidized:latest ."
+    sh "podman build #{build_args} ."
   elsif command_available?('docker')
     if docker_needs_root?
       puts 'docker needs root to build the image. Using sudo...'
-      sh "sudo docker build -t oxidized:#{image_tag} -t oxidized:latest ."
+      sh "sudo docker build #{build_args} ."
     else
-      sh "docker build -t oxidized:#{image_tag} -t oxidized:latest ."
+      sh "docker build #{build_args} ."
     end
   else
     puts 'You need Podman or Docker to build the container image.'