ukhomeoffice / docker-clamav Goto Github PK
View Code? Open in Web Editor NEWClamAV built on alpine
License: MIT License
ClamAV built on alpine
License: MIT License
The service is not deployed - it should be...
Hello, currently when I try to expose sock to the local host and always get a permission error, that is because docker will create folder as root and provided user in container is bounded to the uid 1000. I have to set 777 or 767 permissions to the folder to avoid this.
Expectation is that created folder is accessible for a container as per defined user.
My compose file:
version: "3.6"
services:
clamav:
image: "quay.io/ukhomeofficedigital/clamav:latest"
container_name: "clamav"
volumes:
- ${WORKINGDIR}/clamav/:/var/run/clamav/
restart: unless-stopped
environment:
- PUID=${PUID}
- PGID=${PGID}
- CLAMD_SETTINGS_CSV=MaxFileSize=300M,LogVerbose=yes,PCREMaxFileSize=50M,StreamMaxLength=50M,LocalSocket=/var/run/clamav/clamd.ctl
Apparently the documented env vars UPDATE_ONLY
and UPDATE
are not implemented (anymore?).
Therefore also the example with running a Kubernetes sidecar to refresh the DB doesn't work anymore.
Was this removed intentionally?
Hey, thanks a lot for a cool package.
I have an issue, I use docker compose:
clamav:
image: "quay.io/ukhomeofficedigital/clamav:latest"
container_name: "clamav"
ports:
- "9006:3310"
restart: unless-stopped
environment:
- CLAMD_SETTINGS_CSV=MaxFileSize=300M,LogVerbose=yes,PCREMaxFileSize=50M,StreamMaxLength=50M
- FRESHCLAM_SETTINGS_CSV=LogVerbose=yes
I can see that config file was updated:
# docker exec clamav cat /etc/clamav/clamd.conf
LogFile /dev/stdout
LogTime yes
LogClean yes
LogSyslog no
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamav/clamd.socket
TCPSocket 3310
Foreground yes
MaxFileSize 300M
LogVerbose yes
PCREMaxFileSize 50M
StreamMaxLength 50M
But I can't see Verbosed logs and Stream Max Length was not applied, so that I have an error with nextcloud... Indeed PCREMaxFileSize and MaxFileSize are correct. Here is some logs output.
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *Querying current.cvd.clamav.net,
Thu Apr 16 12:32:37 2020 -> +++ Started at Thu Apr 16 12:32:37 2020,
Thu Apr 16 12:32:37 2020 -> Received 0 file descriptor(s) from systemd.,
Thu Apr 16 12:32:37 2020 -> clamd daemon 0.102.1 (OS: linux-musl, ARCH: x86_64, CPU: x86_64),
Thu Apr 16 12:32:37 2020 -> Log file size limited to 1048576 bytes.,
Thu Apr 16 12:32:37 2020 -> Reading databases from /var/lib/clamav,
Thu Apr 16 12:32:37 2020 -> Not loading PUA signatures.,
Thu Apr 16 12:32:37 2020 -> Bytecode: Security mode set to "TrustSigned".,
Thu Apr 16 12:32:37 2020 -> *TTL: 697,
Thu Apr 16 12:32:37 2020 -> *fc_dns_query_update_info: Software version from DNS: 0.102.2,
Thu Apr 16 12:32:37 2020 -> ^Your ClamAV installation is OUTDATED!,
Thu Apr 16 12:32:37 2020 -> ^Local version: 0.102.1 Recommended version: 0.102.2,
Thu Apr 16 12:32:37 2020 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav,
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *check_for_new_database_version: Local copy of daily found: daily.cld.,
Thu Apr 16 12:32:37 2020 -> *query_remote_database_version: daily.cvd version from DNS: 25784,
Thu Apr 16 12:32:37 2020 -> daily.cld database is up to date (version: 25784, sigs: 2267600, f-level: 63, builder: raynman),
Thu Apr 16 12:32:37 2020 -> *fc_update_database: daily.cld already up-to-date.,
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *check_for_new_database_version: Local copy of main found: main.cvd.,
Thu Apr 16 12:32:37 2020 -> *query_remote_database_version: main.cvd version from DNS: 59,
Thu Apr 16 12:32:37 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr),
Thu Apr 16 12:32:37 2020 -> *fc_update_database: main.cvd already up-to-date.,
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.,
Thu Apr 16 12:32:37 2020 -> *query_remote_database_version: bytecode.cvd version from DNS: 331,
Thu Apr 16 12:32:37 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg),
Thu Apr 16 12:32:37 2020 -> *fc_update_database: bytecode.cvd already up-to-date.,
Thu Apr 16 12:32:47 2020 -> Loaded 6822011 signatures.,
Thu Apr 16 12:32:50 2020 -> TCP: Bound to [0.0.0.0]:3310,
Thu Apr 16 12:32:50 2020 -> TCP: Setting connection queue length to 200,
Thu Apr 16 12:32:50 2020 -> LOCAL: Unix socket file /var/run/clamav/clamd.socket,
Thu Apr 16 12:32:50 2020 -> LOCAL: Setting connection queue length to 200,
Thu Apr 16 12:32:50 2020 -> Limits: Global time limit set to 120000 milliseconds.,
Thu Apr 16 12:32:50 2020 -> Limits: Global time limit set to 120000 milliseconds.,
Thu Apr 16 12:32:50 2020 -> Limits: Global size limit set to 104857600 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: Global size limit set to 104857600 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: File size limit set to 314572800 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: File size limit set to 314572800 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: Recursion level limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: Recursion level limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: Files limit set to 10000.,
Thu Apr 16 12:32:50 2020 -> Limits: Files limit set to 10000.,
Thu Apr 16 12:32:50 2020 -> Limits: Core-dump limit is 18446744073709551615.,
Thu Apr 16 12:32:50 2020 -> *Limits: Core-dump limit is 18446744073709551615.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxPartitions limit set to 50.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxPartitions limit set to 50.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxIconsPE limit set to 100.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxIconsPE limit set to 100.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxRecHWP3 limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxRecHWP3 limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMatchLimit limit set to 100000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMatchLimit limit set to 100000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCRERecMatchLimit limit set to 2000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCRERecMatchLimit limit set to 2000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMaxFileSize limit set to 52428800.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMaxFileSize limit set to 52428800.,
Thu Apr 16 12:32:50 2020 -> Archive support enabled.,
Thu Apr 16 12:32:50 2020 -> Archive support enabled.,
Thu Apr 16 12:32:50 2020 -> AlertExceedsMax heuristic detection disabled.,
Thu Apr 16 12:32:50 2020 -> AlertExceedsMax heuristic detection disabled.,
Thu Apr 16 12:32:50 2020 -> Heuristic alerts enabled.,
Thu Apr 16 12:32:50 2020 -> Heuristic alerts enabled.,
Thu Apr 16 12:32:50 2020 -> Portable Executable support enabled.,
Thu Apr 16 12:32:50 2020 -> Portable Executable support enabled.,
Thu Apr 16 12:32:50 2020 -> ELF support enabled.,
Thu Apr 16 12:32:50 2020 -> ELF support enabled.,
Thu Apr 16 12:32:50 2020 -> Mail files support enabled.,
Thu Apr 16 12:32:50 2020 -> Mail files support enabled.,
Thu Apr 16 12:32:50 2020 -> OLE2 support enabled.,
Thu Apr 16 12:32:50 2020 -> OLE2 support enabled.,
Thu Apr 16 12:32:50 2020 -> PDF support enabled.,
Thu Apr 16 12:32:50 2020 -> PDF support enabled.,
Thu Apr 16 12:32:50 2020 -> SWF support enabled.,
Thu Apr 16 12:32:50 2020 -> SWF support enabled.,
Thu Apr 16 12:32:50 2020 -> HTML support enabled.,
Thu Apr 16 12:32:50 2020 -> HTML support enabled.,
Thu Apr 16 12:32:50 2020 -> XMLDOCS support enabled.,
Thu Apr 16 12:32:50 2020 -> XMLDOCS support enabled.,
Thu Apr 16 12:32:50 2020 -> HWP3 support enabled.,
Thu Apr 16 12:32:50 2020 -> HWP3 support enabled.,
Thu Apr 16 12:32:50 2020 -> Self checking every 600 seconds.,
Thu Apr 16 12:32:50 2020 -> Self checking every 600 seconds.,
Thu Apr 16 12:32:50 2020 -> Listening daemon: PID: 20,
Thu Apr 16 12:32:50 2020 -> *Listening daemon: PID: 20,
Thu Apr 16 12:32:50 2020 -> MaxQueue set to: 100,
Thu Apr 16 12:32:50 2020 -> *MaxQueue set to: 100,
Thu Apr 16 12:32:50 2020 -> Set stacksize to 1048576,
Thu Apr 16 12:32:50 2020 -> Set stacksize to 1048576,
Sending build context to Docker daemon 23.64MB
Step 1/14 : FROM alpine:3.11
3.11: Pulling from library/alpine
Digest: sha256:9a839e63dad54c3a6d1834e29692c8492d93f90c59c978c1ed79109ea4fb9a54
Status: Image is up to date for alpine:3.11
---> f70734b6a266
Step 2/14 : ENV CLAM_VERSION=0.102.1-r0
---> Using cache
---> abae15b6cdfd
Step 3/14 : RUN apk add --no-cache clamav=$CLAM_VERSION clamav-libunrar=$CLAM_VERSION
---> Running in 05d18cd75e29
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
clamav-0.102.3-r0:
breaks: world[clamav=0.102.1-r0]
clamav-libunrar-0.102.3-r0:
breaks: world[clamav-libunrar=0.102.1-r0]
The command '/bin/sh -c apk add --no-cache clamav=$CLAM_VERSION clamav-libunrar=$CLAM_VERSION' returned a non-zero code: 2
Either the output of freshclam has changed (or was always wrong at the version deployed to prod)...
[root@clamav-2334659081-82n4v /]# freshclam
ClamAV update process started at Mon Mar 6 17:36:01 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 23177, sigs: 1728734, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 290, sigs: 55, f-level: 63, builder: neo)
[root@clamav-2334659081-82n4v /]# clamdscan eicar.com
/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.056 sec (0 m 0 s)
[root@clamav-2334659081-82n4v /]# /readyness.sh
freshclam not running
[root@clamav-2334659081-82n4v /]# freshclam
ClamAV update process started at Mon Mar 6 17:37:55 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 23177, sigs: 1728734, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 290, sigs: 55, f-level: 63, builder: neo)
[root@clamav-2334659081-82n4v /]# freshclam | grep -q 'bytecode.cvd is up to date'
[root@clamav-2334659081-82n4v /]# echo $?
1
Essentially bytecode.cvd
should be bytecode.cld
Update the check to work appropriately...
Files larger than around 10MB will usually cause an error from clamav-rest, unless the bootstrap.sh script is modified to include a clamd.timeout in milliseconds.
Please see this commit for details; ministryofjustice/moj-clamav-rest@c9670b6
It's not possible to configure ClamAV using the documented environment variable:
$ docker run -e CLAMD_SETTINGS_CSV="StreamMaxLength=100M" quay.io/ukhomeofficedigital/clamav:v1.5.0
sed: couldn't open temporary file /usr/local/etc/sedTrhZHX: Permission denied
/docker-entrypoint.sh: line 22: /usr/local/etc/clamd.conf: Permission denied
Due to /usr/local/etc/clamd.conf
being owned by root
instead of clamav
.
What we see with v1.5.0
When clamd first starts it's using an old set of virus definitions embedded in the image. Meanwhile freshclam is updating with new definitions and after 30 minutes (default) clamd does a self-check and reloads its database with the new definitions. After this our scanning time of 17MB zip files goes from 11 seconds to 70-80 seconds.
What we see with v1.6.1
The image already has newer definitions embedded (they're pulled as part of the build process) so the scanning times are slow immediately.
The files we're scanning are 17MB in size, containing around 4200 individual XML files.
Hi - I am encountering a issue when i try and use version 102.r3
I have cloned the git onto VSCODE - and i can build the image, but when i run the container i get
standard_init_linux.go:211: exec user process caused "no such file or directory"
This stops the container - any suggestions on what is causing this ? I have not changed any config or scripts (except LF conversion) just taking the current version and trying to spin it up?
When I try to use a persistent volume for clamav database in Kubernetes I have this error from logs
I tried to change Security Context in the Pod to use the right user and group :
securityContext:
fsGroup: 998
runAsGroup: 998
runAsUser: 1000
Sadly it does not work either...
It is clearly a permission issue but I don't know how to solve it....
running
docker build --rm -f Dockerfile" -t docker-clamav:latest
will fail at step 9
COPY --chown=clamav:clamav eicar.com /
with the error:
COPY failed: stat /var/lib/docker/tmp/docker-builder403330422/eicar.com: no such file or directory
I have tried to look inside the image and there is no eicar file anywhere
just to add that ClamAV has some known CVEs pre-0.98.7 (http://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html )
The README indicates a number of configuration options that can be modified using environment variables but looking at the clamd.conf file and the docker-entrypoint.sh script, none of these configuration options is implemented.
Hi,
thanks for this project!
I'm running this container on multiple clusters with multiple replicas and the following messages are filling the logs quite fast:
Tue Mar 24 14:26:17 2020 -> /eicar.com: Win.Test.EICAR_HDB-1 FOUND
Tue Mar 24 14:26:17 2020 -> ~/eicar.com: Win.Test.EICAR_HDB-1 FOUND
They appear whenever the readyness.sh
script is called which is expected I guess.
I tried to disable the logs on a running container by altering the /etc/clamav/clamd.conf
and sending SIGHUPs to clamd but so far without success.
I'd like to know if you can think of a way to make the clamd logs either optional or disable them completely.
If we find a solution, I'd be happy to send in a PR.
Thanks!
Currently, have ClamAV K8's pod(s) successfully running but getting tons of errors pertaining to /host/ and it's subdirectories cannot be scanned.
Running with full permissions still causes, an unable to read file/folder on everything falling under /host/* ... Is this by design or are you expecting K8's users to ExcludPath for /host/ ??
A contributing file is a place for a user to work out how to contribute to a project, and what coding standards, and things they need to do before submitting code. It is also the place you should include a code of conduct, to make sure people know they can be expected to be treated fairly by the project. https://gist.github.com/PurpleBooth/6f1ba788bf70fb501439
When freshclam detects that daily.cld has been updated, it downloads the updates. If I try to scan a file while this is happening, I get a 500 error.
Have you come across this issue, and do you have any mitigations/workarounds/fixes?
Our app supports uploading of up to 50M file size, but since in the configuration file the variable StreamMaxLength is set to 25MB we are getting error INSTREAM size limit exceeded. Is there a way to change this value.
I have try to add an environment variable (CLAMD_SETTINGS_CSV="StreamMaxLength 50M") as the documentation suggested, but still is not working.
Any clue?
The build process is failing on this line "RUN freshclam && \ chown clamav:clamav /var/lib/clamav/*.cvd" with the following message "WARNING: Can't get information about user clamav", even though user and group are getting created correctly.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.