ukhomeoffice / docker-clamav Goto Github PK

View Code? Open in Web Editor NEW

55.0 24.0 60.0 22.42 MB

ClamAV built on alpine

License: MIT License

Shell 44.53% DIGITAL Command Language 0.61% Dockerfile 11.97% Go 42.89%

docker-clamav's Introduction

Docker ClamAV

Docker container for starting a ClamAV daemon.

Getting Started

These instructions will cover how to start a container both in Docker and within a Kubernetes cluster.

Prerequisites

In order to run this container you'll need docker installed.

Optionally:

A Kubernetes cluster to enable Kubernetes api discovery of other nodes.

Usage

The example below will start a single ClamAV instance.

docker run --name clamav -d -p 3310:3310 quay.io/ukhomeofficedigital/clamav:latest

To use with Kubernetes see the kubernetes examples.

Environment Variables

The variables and the defaults are shown below. By default, the container does not depend on Kubernetes.

CLAMD_SETTINGS_CSV="LogVerbose=yes,VirusEvent=/custom_alert.sh" See clamd.conf for more details
and see ./clamd.conf for the default settings.
To use specify a CSV of settings using Key=Value (not Key Value as the clamd.conf file) e.g. "CLAMD_SETTINGS_CSV='Setting=value'" Note, clamd has already been configured appropriately for a container but some useful settings include:
- VirusEvent=/path/to/alert_script.sh If mounted in the container, will provide a custom alert facility
- LogClean=yes Will log every scan performed
FRESHCLAM_SETTINGS_CSV="LogVerbose=yes" See freshclam.conf for more details
and see ./freshclam.conf for the default settings. See above for how this works.
UPDATE=true (default) will start freshclam daemon in background to watch for update antivirus definitions
UPDATE=false will watch for first successful update from separate sidecar container before starting
UPDATE_ONLY=true configure as a sidecar container and run the update process in the foreground
UPDATE_ONLY=false (default) will run clamd and freshclam as normal.

Ports

This container exposes:

3310 - Access the Clam AV API.

Contributing

Feel free to submit pull requests and issues. If it's a particularly large PR, you may wish to discuss it in an issue first.

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Authors

Lewis Marshall - Initial work - Lewis Marshall

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE.md file for details.

Acknowledgments

http://www.clamav.net/

TODO:

Ensure the DB access doesn't need to be for user 999 (so the volume can be mounted)...
Long startup time, see point above.
Add testing for Travis

docker-clamav's People

Contributors

Stargazers

Watchers

Forkers

gileshinchcliff hayekw digitalronin boy12371 stemount rasearle gjkrupa pietmarcus tredston chorwitt john-forrest itsmechlark dendreo akersystems contino georgeeker1 fortunkam virusneeraj wildobagins riskiana hobsons neofitov grahamd99 bailey1996 0l33l damonwright101 billyshambrook stefanorg gandhirajan arjunpathy gas85 norhantharwat navikt vanishreesai1991 nm4 roshanneupane16 manoelhc hed95 zzzapzzz phtrung212 simonjlawson dalet-oss asada931 gokulrajsct mattoddie jay1963 churchdesk uk-gov-mirror vinayega pytheas-capital ysmall-backbase ukgov-equality-hub andyrozman samsplunks supersaiyane ajeetb jdickson-cwrw

docker-clamav's Issues

Scanning performance slow for fairly small ZIP files

What we see with v1.5.0

When clamd first starts it's using an old set of virus definitions embedded in the image. Meanwhile freshclam is updating with new definitions and after 30 minutes (default) clamd does a self-check and reloads its database with the new definitions. After this our scanning time of 17MB zip files goes from 11 seconds to 70-80 seconds.

What we see with v1.6.1

The image already has newer definitions embedded (they're pulled as part of the build process) so the scanning times are slow immediately.

The files we're scanning are 17MB in size, containing around 4200 individual XML files.

Freshclam Sidecar not Working

Apparently the documented env vars UPDATE_ONLY and UPDATE are not implemented (anymore?).
Therefore also the example with running a Kubernetes sidecar to refresh the DB doesn't work anymore.
Was this removed intentionally?

Reduce logging for readiness check/clamd

Hi,

thanks for this project!

I'm running this container on multiple clusters with multiple replicas and the following messages are filling the logs quite fast:

Tue Mar 24 14:26:17 2020 -> /eicar.com: Win.Test.EICAR_HDB-1 FOUND
Tue Mar 24 14:26:17 2020 -> ~/eicar.com: Win.Test.EICAR_HDB-1 FOUND

They appear whenever the readyness.sh script is called which is expected I guess.
I tried to disable the logs on a running container by altering the /etc/clamav/clamd.conf and sending SIGHUPs to clamd but so far without success.

I'd like to know if you can think of a way to make the clamd logs either optional or disable them completely.

If we find a solution, I'd be happy to send in a PR.

Thanks!

500 error while clamav is updating

When freshclam detects that daily.cld has been updated, it downloads the updates. If I try to scan a file while this is happening, I get a 500 error.

Have you come across this issue, and do you have any mitigations/workarounds/fixes?

Error while building the image

Sending build context to Docker daemon 23.64MB
Step 1/14 : FROM alpine:3.11
3.11: Pulling from library/alpine
Digest: sha256:9a839e63dad54c3a6d1834e29692c8492d93f90c59c978c1ed79109ea4fb9a54
Status: Image is up to date for alpine:3.11
---> f70734b6a266
Step 2/14 : ENV CLAM_VERSION=0.102.1-r0
---> Using cache
---> abae15b6cdfd
Step 3/14 : RUN apk add --no-cache clamav=$CLAM_VERSION clamav-libunrar=$CLAM_VERSION
---> Running in 05d18cd75e29
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
clamav-0.102.3-r0:
breaks: world[clamav=0.102.1-r0]
clamav-libunrar-0.102.3-r0:
breaks: world[clamav-libunrar=0.102.1-r0]
The command '/bin/sh -c apk add --no-cache clamav=$CLAM_VERSION clamav-libunrar=$CLAM_VERSION' returned a non-zero code: 2

Added support of PUID and PGID

Hello, currently when I try to expose sock to the local host and always get a permission error, that is because docker will create folder as root and provided user in container is bounded to the uid 1000. I have to set 777 or 767 permissions to the folder to avoid this.

Expectation is that created folder is accessible for a container as per defined user.

My compose file:

version: "3.6"
services:
  clamav:
    image: "quay.io/ukhomeofficedigital/clamav:latest"
    container_name: "clamav"
    volumes:
      - ${WORKINGDIR}/clamav/:/var/run/clamav/
    restart: unless-stopped
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - CLAMD_SETTINGS_CSV=MaxFileSize=300M,LogVerbose=yes,PCREMaxFileSize=50M,StreamMaxLength=50M,LocalSocket=/var/run/clamav/clamd.ctl

Error - exec user process caused "no such file or directory"

Hi - I am encountering a issue when i try and use version 102.r3
I have cloned the git onto VSCODE - and i can build the image, but when i run the container i get

standard_init_linux.go:211: exec user process caused "no such file or directory"

This stops the container - any suggestions on what is causing this ? I have not changed any config or scripts (except LF conversion) just taking the current version and trying to spin it up?

Unable to configure ClamAV

It's not possible to configure ClamAV using the documented environment variable:

$ docker run -e CLAMD_SETTINGS_CSV="StreamMaxLength=100M" quay.io/ukhomeofficedigital/clamav:v1.5.0
sed: couldn't open temporary file /usr/local/etc/sedTrhZHX: Permission denied
/docker-entrypoint.sh: line 22: /usr/local/etc/clamd.conf: Permission denied

Due to /usr/local/etc/clamd.conf being owned by root instead of clamav.

Add the service to the deployment

The service is not deployed - it should be...

Overwrite configuration

Our app supports uploading of up to 50M file size, but since in the configuration file the variable StreamMaxLength is set to 25MB we are getting error INSTREAM size limit exceeded. Is there a way to change this value.
I have try to add an environment variable (CLAMD_SETTINGS_CSV="StreamMaxLength 50M") as the documentation suggested, but still is not working.

Any clue?

Freshclam output changed -

Either the output of freshclam has changed (or was always wrong at the version deployed to prod)...

[root@clamav-2334659081-82n4v /]# freshclam
ClamAV update process started at Mon Mar  6 17:36:01 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 23177, sigs: 1728734, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 290, sigs: 55, f-level: 63, builder: neo)
[root@clamav-2334659081-82n4v /]# clamdscan eicar.com
/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.056 sec (0 m 0 s)
[root@clamav-2334659081-82n4v /]# /readyness.sh
freshclam not running
[root@clamav-2334659081-82n4v /]# freshclam
ClamAV update process started at Mon Mar  6 17:37:55 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 23177, sigs: 1728734, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 290, sigs: 55, f-level: 63, builder: neo)
[root@clamav-2334659081-82n4v /]# freshclam | grep -q 'bytecode.cvd is up to date'
[root@clamav-2334659081-82n4v /]# echo $?
1

Essentially bytecode.cvd should be bytecode.cld

Update the check to work appropriately...

Documented configuration by environment variable is not implemented

The README indicates a number of configuration options that can be modified using environment variables but looking at the clamd.conf file and the docker-entrypoint.sh script, none of these configuration options is implemented.

Add a clamd.timeout to handle large files (>10MB)

Files larger than around 10MB will usually cause an error from clamav-rest, unless the bootstrap.sh script is modified to include a clamd.timeout in milliseconds.

Please see this commit for details; ministryofjustice/moj-clamav-rest@c9670b6

Can't get information about user clamav while building the image using dockerfile

The build process is failing on this line "RUN freshclam && \ chown clamav:clamav /var/lib/clamav/*.cvd" with the following message "WARNING: Can't get information about user clamav", even though user and group are getting created correctly.

ClamAV Exceptions CoreOS

Currently, have ClamAV K8's pod(s) successfully running but getting tons of errors pertaining to /host/ and it's subdirectories cannot be scanned.

Running with full permissions still causes, an unable to read file/folder on everything falling under /host/* ... Is this by design or are you expecting K8's users to ExcludPath for /host/ ??

just to add that ClamAV has some known CVEs pre-0.98.7 (http://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html )

Config ignores.

Hey, thanks a lot for a cool package.
I have an issue, I use docker compose:

  clamav:
    image: "quay.io/ukhomeofficedigital/clamav:latest"
    container_name: "clamav"
    ports:
      - "9006:3310"
    restart: unless-stopped
    environment:
      - CLAMD_SETTINGS_CSV=MaxFileSize=300M,LogVerbose=yes,PCREMaxFileSize=50M,StreamMaxLength=50M
      - FRESHCLAM_SETTINGS_CSV=LogVerbose=yes

I can see that config file was updated:

# docker exec clamav cat /etc/clamav/clamd.conf
LogFile /dev/stdout
LogTime yes
LogClean yes
LogSyslog no
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamav/clamd.socket
TCPSocket 3310
Foreground yes
MaxFileSize 300M
LogVerbose yes
PCREMaxFileSize 50M
StreamMaxLength 50M

But I can't see Verbosed logs and Stream Max Length was not applied, so that I have an error with nextcloud... Indeed PCREMaxFileSize and MaxFileSize are correct. Here is some logs output.

Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *Querying current.cvd.clamav.net,
Thu Apr 16 12:32:37 2020 -> +++ Started at Thu Apr 16 12:32:37 2020,
Thu Apr 16 12:32:37 2020 -> Received 0 file descriptor(s) from systemd.,
Thu Apr 16 12:32:37 2020 -> clamd daemon 0.102.1 (OS: linux-musl, ARCH: x86_64, CPU: x86_64),
Thu Apr 16 12:32:37 2020 -> Log file size limited to 1048576 bytes.,
Thu Apr 16 12:32:37 2020 -> Reading databases from /var/lib/clamav,
Thu Apr 16 12:32:37 2020 -> Not loading PUA signatures.,
Thu Apr 16 12:32:37 2020 -> Bytecode: Security mode set to "TrustSigned".,
Thu Apr 16 12:32:37 2020 -> *TTL: 697,
Thu Apr 16 12:32:37 2020 -> *fc_dns_query_update_info: Software version from DNS: 0.102.2,
Thu Apr 16 12:32:37 2020 -> ^Your ClamAV installation is OUTDATED!,
Thu Apr 16 12:32:37 2020 -> ^Local version: 0.102.1 Recommended version: 0.102.2,
Thu Apr 16 12:32:37 2020 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav,
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *check_for_new_database_version: Local copy of daily found: daily.cld.,
Thu Apr 16 12:32:37 2020 -> *query_remote_database_version: daily.cvd version from DNS: 25784,
Thu Apr 16 12:32:37 2020 -> daily.cld database is up to date (version: 25784, sigs: 2267600, f-level: 63, builder: raynman),
Thu Apr 16 12:32:37 2020 -> *fc_update_database: daily.cld already up-to-date.,
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *check_for_new_database_version: Local copy of main found: main.cvd.,
Thu Apr 16 12:32:37 2020 -> *query_remote_database_version: main.cvd version from DNS: 59,
Thu Apr 16 12:32:37 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr),
Thu Apr 16 12:32:37 2020 -> *fc_update_database: main.cvd already up-to-date.,
Thu Apr 16 12:32:37 2020 -> *Current working dir is /var/lib/clamav/,
Thu Apr 16 12:32:37 2020 -> *check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.,
Thu Apr 16 12:32:37 2020 -> *query_remote_database_version: bytecode.cvd version from DNS: 331,
Thu Apr 16 12:32:37 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg),
Thu Apr 16 12:32:37 2020 -> *fc_update_database: bytecode.cvd already up-to-date.,
Thu Apr 16 12:32:47 2020 -> Loaded 6822011 signatures.,
Thu Apr 16 12:32:50 2020 -> TCP: Bound to [0.0.0.0]:3310,
Thu Apr 16 12:32:50 2020 -> TCP: Setting connection queue length to 200,
Thu Apr 16 12:32:50 2020 -> LOCAL: Unix socket file /var/run/clamav/clamd.socket,
Thu Apr 16 12:32:50 2020 -> LOCAL: Setting connection queue length to 200,
Thu Apr 16 12:32:50 2020 -> Limits: Global time limit set to 120000 milliseconds.,
Thu Apr 16 12:32:50 2020 -> Limits: Global time limit set to 120000 milliseconds.,
Thu Apr 16 12:32:50 2020 -> Limits: Global size limit set to 104857600 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: Global size limit set to 104857600 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: File size limit set to 314572800 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: File size limit set to 314572800 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: Recursion level limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: Recursion level limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: Files limit set to 10000.,
Thu Apr 16 12:32:50 2020 -> Limits: Files limit set to 10000.,
Thu Apr 16 12:32:50 2020 -> Limits: Core-dump limit is 18446744073709551615.,
Thu Apr 16 12:32:50 2020 -> *Limits: Core-dump limit is 18446744073709551615.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxPartitions limit set to 50.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxPartitions limit set to 50.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxIconsPE limit set to 100.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxIconsPE limit set to 100.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxRecHWP3 limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: MaxRecHWP3 limit set to 16.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMatchLimit limit set to 100000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMatchLimit limit set to 100000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCRERecMatchLimit limit set to 2000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCRERecMatchLimit limit set to 2000.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMaxFileSize limit set to 52428800.,
Thu Apr 16 12:32:50 2020 -> Limits: PCREMaxFileSize limit set to 52428800.,
Thu Apr 16 12:32:50 2020 -> Archive support enabled.,
Thu Apr 16 12:32:50 2020 -> Archive support enabled.,
Thu Apr 16 12:32:50 2020 -> AlertExceedsMax heuristic detection disabled.,
Thu Apr 16 12:32:50 2020 -> AlertExceedsMax heuristic detection disabled.,
Thu Apr 16 12:32:50 2020 -> Heuristic alerts enabled.,
Thu Apr 16 12:32:50 2020 -> Heuristic alerts enabled.,
Thu Apr 16 12:32:50 2020 -> Portable Executable support enabled.,
Thu Apr 16 12:32:50 2020 -> Portable Executable support enabled.,
Thu Apr 16 12:32:50 2020 -> ELF support enabled.,
Thu Apr 16 12:32:50 2020 -> ELF support enabled.,
Thu Apr 16 12:32:50 2020 -> Mail files support enabled.,
Thu Apr 16 12:32:50 2020 -> Mail files support enabled.,
Thu Apr 16 12:32:50 2020 -> OLE2 support enabled.,
Thu Apr 16 12:32:50 2020 -> OLE2 support enabled.,
Thu Apr 16 12:32:50 2020 -> PDF support enabled.,
Thu Apr 16 12:32:50 2020 -> PDF support enabled.,
Thu Apr 16 12:32:50 2020 -> SWF support enabled.,
Thu Apr 16 12:32:50 2020 -> SWF support enabled.,
Thu Apr 16 12:32:50 2020 -> HTML support enabled.,
Thu Apr 16 12:32:50 2020 -> HTML support enabled.,
Thu Apr 16 12:32:50 2020 -> XMLDOCS support enabled.,
Thu Apr 16 12:32:50 2020 -> XMLDOCS support enabled.,
Thu Apr 16 12:32:50 2020 -> HWP3 support enabled.,
Thu Apr 16 12:32:50 2020 -> HWP3 support enabled.,
Thu Apr 16 12:32:50 2020 -> Self checking every 600 seconds.,
Thu Apr 16 12:32:50 2020 -> Self checking every 600 seconds.,
Thu Apr 16 12:32:50 2020 -> Listening daemon: PID: 20,
Thu Apr 16 12:32:50 2020 -> *Listening daemon: PID: 20,
Thu Apr 16 12:32:50 2020 -> MaxQueue set to: 100,
Thu Apr 16 12:32:50 2020 -> *MaxQueue set to: 100,
Thu Apr 16 12:32:50 2020 -> Set stacksize to 1048576,
Thu Apr 16 12:32:50 2020 -> Set stacksize to 1048576,

Missing a CONTRIBUTING file

A contributing file is a place for a user to work out how to contribute to a project, and what coding standards, and things they need to do before submitting code. It is also the place you should include a code of conduct, to make sure people know they can be expected to be treated fairly by the project. https://gist.github.com/PurpleBooth/6f1ba788bf70fb501439

Cannot build container

running

docker build --rm -f Dockerfile" -t docker-clamav:latest

will fail at step 9

COPY --chown=clamav:clamav eicar.com /

with the error:
COPY failed: stat /var/lib/docker/tmp/docker-builder403330422/eicar.com: no such file or directory

I have tried to look inside the image and there is no eicar file anywhere

PersistentVolume in Kubernetes

When I try to use a persistent volume for clamav database in Kubernetes I have this error from logs

I tried to change Security Context in the Pod to use the right user and group :

securityContext:
        fsGroup: 998
        runAsGroup: 998
        runAsUser: 1000

Sadly it does not work either...
It is clearly a permission issue but I don't know how to solve it....