Running Bro on live network traffic in a Docker container
We'll begin with a Dockerfile from which to build an image container Bro and its dependencies. The instructions in the file will tell Docker to build and install Bro from source. We're using the less secure method of setuid for the bro binaries to avoid compatibility issues with some storage backends like AUFS which doesn't support filesystem capabilities(7).
The environment section from above shows that processes in the container will run as root and that PID 1 (CMD) will be a small init system called supervisord. Supervisord is needed to launch and keep track of Broctl otherwise the container would exit after broctl launches bro because broctl would not have a parent. For this to work we need to include supervisord.conf in the same directory as our Dockerfile so it gets copied into the image we are about to build by the ADD instruction present in the Dockerfile.
Let's build the image and then run Bro in a container on live network traffic where the logs are kept persistent by mounting a directory from the host filesystem into the container. I'm also mounting the bro configuration directory which contains configuration files that you may want to edit such as node.cfg, networks.cfg, and broctl.cfg. You can create and mount as many directories as you would like, consider spool for current logs and share/bro/site for local bro configuration.
From the commands above we created a Docker image from the Dockerfile and instantiated a container from that image which runs in the background (-d) and uses the host's networking stack (--net=host) to use the available physical interfaces. We're also mounting volumes (-v) as mentioned before where the syntax is $host-volume:$container-volume.
Upon completion verify that Bro is generating logs on the host filesystem and then stop the container so we can have our init system manage the process. Note that you can enter the container while it is running to check on things and modify your configuration with something like
Since we're mounting the logs directory to the host we will check that directory for the presence of Bro logs.
The init system example below uses Upstart to manage the container process
Now we can use the familiar service commands to manage the container.