Merge #2982

2982: Switch to upstream's clamav image r=mergify[bot] a=nextgens ## What type of PR? enhancement ## What does this PR do? Switch to upstream's clamav image. The only downside is that it doesn't support armv7... but odds are it won't have enough RAM anyway. Why do we want this? - faster build times - will be easier to upgrade - less maintenance required for us - it may fix the CI tests failing because of clamav/EICAR not getting caught - it will save bandwidth (as we won't re-download the definitions from fresh: they are in the base image) - it puts clamav on its own network (security) ### Related issue(s) - close #2059 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2024-12-04 10:24:41 +02:00 · 2023-10-17 09:41:49 +00:00 · 2023-10-17 09:41:49 +00:00 · d0d4876a85
commit d0d4876a85
parent 0441903361 98e1142bea
11 changed files with 47 additions and 169 deletions
--- a/.github/workflows/build_test_deploy.yml
+++ b/.github/workflows/build_test_deploy.yml
@ -474,7 +474,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"]
+        target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"]
    steps:
      - uses: actions/checkout@v3
      - name: Retrieve global variables
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@ -1,22 +0,0 @@
-# syntax=docker/dockerfile-upstream:1.4.3
-
-# clamav image
-FROM base
-
-ARG VERSION=local
-LABEL version=$VERSION
-
-RUN set -euxo pipefail \
-  ; apk add --no-cache clamav clamav-libunrar rsyslog wget
-
-COPY conf/ /etc/clamav/
-COPY start.py /
-
-RUN echo $VERSION >/version
-
-#EXPOSE 3310/tcp
-HEALTHCHECK CMD kill -0 `cat /run/clamd.pid` && kill -0 `cat /run/freshclam.pid`
-
-VOLUME ["/data"]
-
-CMD /start.py
--- a/optional/clamav/README.md
+++ b/optional/clamav/README.md
@ -1,12 +0,0 @@
-Mailu ClamAV container
-======================
-
-ClamAV is an open source antivirus engine for detecting trojans, viruses,
-malware & other malicious threats.
-
-Resources
---------
-
- * [Report issues](https://github.com/Mailu/Mailu/issues) and
-    [send Pull Requests](https://github.com/Mailu/Mailu/pulls)
-    in the [main Mailu repository](https://github.com/Mailu/Mailu)
--- a/optional/clamav/conf/clamd.conf
+++ b/optional/clamav/conf/clamd.conf
@ -1,56 +0,0 @@
-###############
-# General
-###############
-
-DatabaseDirectory /data
-TemporaryDirectory /tmp
-LogTime yes
-PidFile /run/clamd.pid
-LocalSocket /tmp/clamd.sock
-TCPSocket 3310
-Foreground yes
-
-###############
-# Results
-###############
-
-DetectPUA yes
-ExcludePUA NetTool
-ExcludePUA PWTool
-HeuristicAlerts yes
-Bytecode yes
-
-###############
-# Scan
-###############
-
-ScanPE yes
-DisableCertCheck yes
-ScanELF yes
-AlertBrokenExecutables yes
-ScanOLE2 yes
-ScanPDF yes
-ScanSWF yes
-ScanMail yes
-PhishingSignatures yes
-PhishingScanURLs yes
-ScanHTML yes
-ScanArchive yes
-
-###############
-# Scan
-###############
-
-MaxScanSize 150M
-MaxFileSize 30M
-MaxRecursion 10
-MaxFiles 15000
-MaxEmbeddedPE 10M
-MaxHTMLNormalize 10M
-MaxHTMLNoTags 2M
-MaxScriptNormalize 5M
-MaxZipTypeRcg 1M
-MaxPartitions 128
-MaxIconsPE 200
-PCREMatchLimit 10000
-PCRERecMatchLimit 10000
--- a/optional/clamav/conf/freshclam.conf
+++ b/optional/clamav/conf/freshclam.conf
@ -1,18 +0,0 @@
-###############
-# General
-###############
-
-DatabaseDirectory /data
-UpdateLogFile /dev/stdout
-LogTime yes
-PidFile /run/freshclam.pid
-DatabaseOwner root
-
-###############
-# Updates
-###############
-
-DatabaseMirror database.clamav.net
-ScriptedUpdates yes
-NotifyClamd /etc/clamav/clamd.conf
-Bytecode yes
--- a/optional/clamav/start.py
+++ b/optional/clamav/start.py
@ -1,21 +0,0 @@
-#!/usr/bin/env python3
-
-import os
-import logging as logger
-import sys
-from socrate import system
-
-system.set_env(log_filters=r'SelfCheck: Database status OK\.$')
-
-# Bootstrap the database if clamav is running for the first time
-if not os.path.isfile("/data/main.cvd"):
-    logger.info("Starting primary virus DB download")
-    os.system("freshclam")
-
-# Run the update daemon
-logger.info("Starting the update daemon")
-os.system("freshclam -d -c 6")
-
-# Run clamav
-logger.info("Starting clamav")
-os.system("clamd")
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@ -143,7 +143,7 @@ services:
        tag: mailu-oletools
    restart: always
    networks:
-      - noinet
+      - oletools
    depends_on:
    {% if resolver_enabled %}
      - resolver
@ -186,10 +186,13 @@ services:
      driver: journald
      options:
        tag: mailu-antispam
-{% if oletools_enabled %}
    networks:
      - default
-      - noinet
+{% if oletools_enabled %}
+      - oletools
+{% endif %}
+{% if antivirus_enabled %}
+      - clamav
 {% endif %}
    volumes:
      - "{{ root }}/filter:/var/lib/rspamd"
@ -212,17 +215,22 @@ services:
  # Optional services
  {% if antivirus_enabled %}
  antivirus:
-    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-{{ version }}}
+    image: clamav/clamav-debian:1.2.0-6
    restart: always
-    env_file: {{ env }}
+    logging:
+      driver: journald
+      options:
+        tag: mailu-clamav
+    networks:
+      - clamav
    volumes:
-      - "{{ root }}/filter:/data"
-    {% if resolver_enabled %}
-    depends_on:
-      - resolver
-    dns:
-      - {{ dns }}
-    {% endif %}
+      - "{{ root }}/filter/clamav:/var/lib/clamav"
+    healthcheck:
+      test: ["CMD-SHELL", "kill -0 `cat /tmp/clamd.pid` && kill -0 `cat /tmp/freshclam.pid`"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
  {% endif %}

  {% if webdav_enabled %}
@ -289,8 +297,12 @@ networks:
  webmail:
    driver: bridge
 {% endif %}
+{% if antivirus_enabled %}
+  clamav:
+    driver: bridge
+{% endif %}
 {% if oletools_enabled %}
-  noinet:
+  oletools:
    driver: bridge
    internal: true
 {% endif %}
--- a/tests/build-ci.hcl
+++ b/tests/build-ci.hcl
@ -49,7 +49,6 @@ group "default" {

    "webmail",

-    "antivirus",
    "fetchmail",
    "resolver",
    "traefik-certdumper",
@ -207,15 +206,6 @@ target "webmail" {
 # -----------------------------------------------------------------------------------------
 # Optional images
 # -----------------------------------------------------------------------------------------
-target "antivirus" {
-  inherits = ["defaults"]
-  context = "optional/clamav/"
-  contexts = {
-    base = "docker-image://${DOCKER_ORG}/base:${MAILU_VERSION}"
-  }
-  tags = tag("clamav")
-}
-
 target "fetchmail" {
  inherits = ["defaults"]
  context = "optional/fetchmail/"
--- a/tests/build.hcl
+++ b/tests/build.hcl
@ -45,7 +45,6 @@ group "default" {

    "webmail",

-    "antivirus",
    "fetchmail",
    "resolver",
    "traefik-certdumper",
@ -201,15 +200,6 @@ target "webmail" {
 # -----------------------------------------------------------------------------------------
 # Optional images
 # -----------------------------------------------------------------------------------------
-target "antivirus" {
-  inherits = ["defaults"]
-  context = "optional/clamav/"
-  contexts = {
-    base = "target:base"
-  }
-  tags = tag("clamav")
-}
-
 target "fetchmail" {
  inherits = ["defaults"]
  context = "optional/fetchmail/"
--- a/tests/compose/filters/docker-compose.yml
+++ b/tests/compose/filters/docker-compose.yml
@ -70,7 +70,7 @@ services:
    hostname: oletools
    restart: always
    networks:
-      - noinet
+      - oletools

  antispam:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
@ -78,7 +78,8 @@ services:
    env_file: mailu.env
    networks:
      - default
-      - noinet
+      - oletools
+      - clamav
    volumes:
      - "/mailu/filter:/var/lib/rspamd"
      - "/mailu/dkim:/dkim"
@ -88,11 +89,22 @@ services:

  # Optional services
  antivirus:
-    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-local}
+    image: clamav/clamav-debian:1.2.0-6
    restart: always
-    env_file: mailu.env
+    logging:
+      driver: journald
+      options:
+        tag: mailu-clamav
+    networks:
+      - clamav
    volumes:
-      - "/mailu/filter:/data"
+      - "/mailu/filter/clamav:/var/lib/clamav"
+    healthcheck:
+      test: ["CMD-SHELL", "kill -0 `cat /tmp/clamd.pid` && kill -0 `cat /tmp/freshclam.pid`"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s

  resolver:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
@ -112,6 +124,8 @@ networks:
      driver: default
      config:
        - subnet: 192.168.203.0/24
-  noinet:
+  clamav:
+    driver: bridge
+  oletools:
    driver: bridge
    internal: true
--- a/towncrier/newsfragments/2059.misc
+++ b/towncrier/newsfragments/2059.misc
@ -0,0 +1 @@
+Switch to upstream's clamav image