[#1362] Fixed Clamav to be rootless.

drevops · Aug 19, 2024 · 04dbcae · 04dbcae · github-actions · Aug 19, 2024
1 parent a2e1144
commit 04dbcae
Show file tree

Hide file tree

Showing 9 changed files with 93 additions and 11 deletions.
diff --git a/.docker/clamav.dockerfile b/.docker/clamav.dockerfile
@@ -0,0 +1,35 @@
+# ClamAV container.
+#
+# @see https://hub.docker.com/r/clamav/clamav/tags
+#
+# Allow running ClamAV in rootless mode.
+# @see https://github.com/Cisco-Talos/clamav/issues/478
+#
+# hadolint global ignore=DL3018
+#
+# @see https://hub.docker.com/r/uselagoon/commons/tags
+# @see https://github.com/uselagoon/lagoon-images/tree/main/images/commons
+FROM uselagoon/commons:24.7.0 as commons
+
+FROM clamav/clamav:1.4.0
+
+COPY --from=commons /lagoon /lagoon
+COPY --from=commons /bin/fix-permissions /bin/ep /bin/docker-sleep /bin/wait-for /bin/
+
+RUN apk add --no-cache tzdata
+
+COPY .docker/config/clamav/clamav.conf /tmp/clamav.conf
+
+RUN cat /tmp/clamav.conf >> /etc/clamav/clamd.conf && rm /tmp/clamav.conf && \
+    sed -i "s/^LogFile /# LogFile /g" /etc/clamav/clamd.conf && \
+    sed -i "s/^#LogSyslog /LogSyslog /g" /etc/clamav/clamd.conf && \
+    sed -i "s/^UpdateLogFile /# UpdateLogFile /g" /etc/clamav/freshclam.conf && \
+    sed -i "s/^#LogSyslog /LogSyslog /g" /etc/clamav/freshclam.conf
+
+USER root
+
+RUN fix-permissions /var/lib/clamav
+
+USER clamav
+
+ENTRYPOINT [ "/init-unprivileged" ]
diff --git a/.docker/config/clamav/clamav.conf b/.docker/config/clamav/clamav.conf
@@ -0,0 +1,4 @@
+MaxDirectoryRecursion 30
+MaxFileSize 100M
+PCREMaxFileSize 100M
+StreamMaxLength 100M
diff --git a/.scaffold/tests/bats/fixtures/docker-compose.env.json b/.scaffold/tests/bats/fixtures/docker-compose.env.json
@@ -65,6 +65,10 @@
             ]
         },
         "clamav": {
+            "build": {
+                "context": "FIXTURE_CUR_DIR",
+                "dockerfile": ".docker/clamav.dockerfile"
+            },
             "command": null,
             "entrypoint": null,
             "environment": {
@@ -87,7 +91,6 @@
                 "TZ": "Australia/Melbourne",
                 "XDEBUG_ENABLE": ""
             },
-            "image": "clamav/clamav:VERSION",
             "labels": {
                 "lagoon.autogeneratedroute": "false",
                 "lagoon.service.port": "3310",
@@ -404,9 +407,14 @@
         },
         "wait_dependencies": {
             "command": [
-                "mariadb:3306"
+                "mariadb:3306",
+                "clamav:3310"
             ],
             "depends_on": {
+                "clamav": {
+                    "condition": "service_started",
+                    "required": true
+                },
                 "cli": {
                     "condition": "service_started",
                     "required": true

diff --git a/.scaffold/tests/bats/fixtures/docker-compose.env_local.json b/.scaffold/tests/bats/fixtures/docker-compose.env_local.json
@@ -65,6 +65,10 @@
             ]
         },
         "clamav": {
+            "build": {
+                "context": "FIXTURE_CUR_DIR",
+                "dockerfile": ".docker/clamav.dockerfile"
+            },
             "command": null,
             "entrypoint": null,
             "environment": {
@@ -87,7 +91,6 @@
                 "TZ": "Australia/Melbourne",
                 "XDEBUG_ENABLE": ""
             },
-            "image": "clamav/clamav:VERSION",
             "labels": {
                 "lagoon.autogeneratedroute": "false",
                 "lagoon.service.port": "3310",
@@ -404,9 +407,14 @@
         },
         "wait_dependencies": {
             "command": [
-                "mariadb:3306"
+                "mariadb:3306",
+                "clamav:3310"
             ],
             "depends_on": {
+                "clamav": {
+                    "condition": "service_started",
+                    "required": true
+                },
                 "cli": {
                     "condition": "service_started",
                     "required": true

diff --git a/.scaffold/tests/bats/fixtures/docker-compose.env_mod.json b/.scaffold/tests/bats/fixtures/docker-compose.env_mod.json
@@ -65,6 +65,10 @@
             ]
         },
         "clamav": {
+            "build": {
+                "context": "FIXTURE_CUR_DIR",
+                "dockerfile": ".docker/clamav.dockerfile"
+            },
             "command": null,
             "entrypoint": null,
             "environment": {
@@ -87,7 +91,6 @@
                 "TZ": "Australia/Melbourne",
                 "XDEBUG_ENABLE": "1"
             },
-            "image": "clamav/clamav:VERSION",
             "labels": {
                 "lagoon.autogeneratedroute": "false",
                 "lagoon.service.port": "3310",
@@ -404,9 +407,14 @@
         },
         "wait_dependencies": {
             "command": [
-                "mariadb:3306"
+                "mariadb:3306",
+                "clamav:3310"
             ],
             "depends_on": {
+                "clamav": {
+                    "condition": "service_started",
+                    "required": true
+                },
                 "cli": {
                     "condition": "service_started",
                     "required": true

diff --git a/.scaffold/tests/bats/fixtures/docker-compose.noenv.json b/.scaffold/tests/bats/fixtures/docker-compose.noenv.json
@@ -65,6 +65,10 @@
             ]
         },
         "clamav": {
+            "build": {
+                "context": "FIXTURE_CUR_DIR",
+                "dockerfile": ".docker/clamav.dockerfile"
+            },
             "command": null,
             "entrypoint": null,
             "environment": {
@@ -87,7 +91,6 @@
                 "TZ": "Australia/Melbourne",
                 "XDEBUG_ENABLE": ""
             },
-            "image": "clamav/clamav:VERSION",
             "labels": {
                 "lagoon.autogeneratedroute": "false",
                 "lagoon.service.port": "3310",
@@ -404,9 +407,14 @@
         },
         "wait_dependencies": {
             "command": [
-                "mariadb:3306"
+                "mariadb:3306",
+                "clamav:3310"
             ],
             "depends_on": {
+                "clamav": {
+                    "condition": "service_started",
+                    "required": true
+                },
                 "cli": {
                     "condition": "service_started",
                     "required": true

diff --git a/.scaffold/tests/bats/provision.bats b/.scaffold/tests/bats/provision.bats
@@ -134,6 +134,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"
@@ -253,6 +254,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"
@@ -381,6 +383,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"
@@ -513,6 +516,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"
@@ -641,6 +645,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"
@@ -763,6 +768,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"
@@ -892,6 +898,7 @@ assert_provision_info() {
     "@drush -y pm:install admin_toolbar coffee config_split config_update media environment_indicator pathauto redirect shield stage_file_proxy"
     "@drush -y pm:install redis"
     "@drush -y pm:install clamav"
+    "@drush -y config-set clamav.settings mode_daemon_tcpip.hostname clamav"
     "@drush -y pm:install search_api search_api_solr"
     "@drush -y pm:install ys_core ys_search"
     "@drush -y deploy:hook"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -200,7 +200,9 @@ services:
 
   #;< CLAMAV
   clamav:
-    image: clamav/clamav:1.4.0
+    build:
+      context: .
+      dockerfile: .docker/clamav.dockerfile
     ports:
       - "3310" # Find port on host with `docker-compose port clamav 3310`.
     environment:
@@ -210,7 +212,7 @@ services:
     #;< LAGOON
     labels:
       lagoon.type: basic
-      lagoon.service.port: 3310
+      lagoon.service.port: 3310 # See https://docs.lagoon.sh/using-lagoon-advanced/service-types/
       lagoon.autogeneratedroute: false
     #;> LAGOON
   #;> CLAMAV
@@ -235,7 +237,8 @@ services:
     depends_on:
       - cli
       - mariadb
-    command: mariadb:3306
+      - clamav
+    command: mariadb:3306 clamav:3310
     #;< LAGOON
     labels:
       lagoon.type: none # Do not deploy in Lagoon.

diff --git a/scripts/custom/provision-10-example.sh b/scripts/custom/provision-10-example.sh
@@ -39,6 +39,7 @@ if echo "${DREVOPS_PROVISION_ENVIRONMENT:-}" | grep -q -e dev -e test -e ci -e l
 
   #;< CLAMAV
   drush pm:install clamav
+  drush config-set clamav.settings mode_daemon_tcpip.hostname clamav
   #;> CLAMAV
 
   #;< SOLR