diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index fdf50050ca..0000000000 --- a/Dockerfile +++ /dev/null @@ -1,117 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0-or-later -# -# Copyright (C) 2020 Olliver Schinagl -# Copyright (C) 2021-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - -# hadolint ignore=DL3007 latest is the latest stable for alpine -FROM index.docker.io/library/alpine:latest AS builder - -WORKDIR /src - -COPY . /src/ - -# hadolint ignore=DL3008 We want the latest stable versions -RUN apk add --no-cache \ - bsd-compat-headers \ - bzip2-dev \ - check-dev \ - cmake \ - curl-dev \ - file \ - fts-dev \ - g++ \ - git \ - json-c-dev \ - libmilter-dev \ - libtool \ - libxml2-dev \ - linux-headers \ - make \ - ncurses-dev \ - openssl-dev \ - pcre2-dev \ - py3-pytest \ - zlib-dev \ - rust \ - cargo \ - && \ - mkdir -p "./build" && cd "./build" && \ - cmake .. \ - -DCMAKE_BUILD_TYPE="Release" \ - -DCMAKE_INSTALL_PREFIX="/usr" \ - -DCMAKE_INSTALL_LIBDIR="/usr/lib" \ - -DAPP_CONFIG_DIRECTORY="/etc/clamav" \ - -DDATABASE_DIRECTORY="/var/lib/clamav" \ - -DENABLE_CLAMONACC=OFF \ - -DENABLE_EXAMPLES=OFF \ - -DENABLE_JSON_SHARED=ON \ - -DENABLE_MAN_PAGES=OFF \ - -DENABLE_MILTER=ON \ - -DENABLE_STATIC_LIB=OFF && \ - make DESTDIR="/clamav" -j$(($(nproc) - 1)) install && \ - rm -r \ - "/clamav/usr/include" \ - "/clamav/usr/lib/pkgconfig/" \ - && \ - sed -e "s|^\(Example\)|\# \1|" \ - -e "s|.*\(PidFile\) .*|\1 /run/lock/clamd.pid|" \ - -e "s|.*\(LocalSocket\) .*|\1 /run/clamav/clamd.sock|" \ - -e "s|.*\(TCPSocket\) .*|\1 3310|" \ - -e "s|.*\(TCPAddr\) .*|#\1 0.0.0.0|" \ - -e "s|.*\(User\) .*|\1 clamav|" \ - -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/clamd.log|" \ - -e "s|^\#\(LogTime\).*|\1 yes|" \ - "/clamav/etc/clamav/clamd.conf.sample" > "/clamav/etc/clamav/clamd.conf" && \ - sed -e "s|^\(Example\)|\# \1|" \ - -e "s|.*\(PidFile\) .*|\1 /run/lock/freshclam.pid|" \ - -e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \ - -e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \ - -e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \ - -e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \ - "/clamav/etc/clamav/freshclam.conf.sample" > "/clamav/etc/clamav/freshclam.conf" && \ - sed -e "s|^\(Example\)|\# \1|" \ - -e "s|.*\(PidFile\) .*|\1 /run/lock/clamav-milter.pid|" \ - -e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \ - -e "s|.*\(User\) .*|\1 clamav|" \ - -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \ - -e "s|^\#\(LogTime\).*|\1 yes|" \ - -e "s|.*\(\ClamdSocket\) .*|\1 unix:/run/clamav/clamd.sock|" \ - "/clamav/etc/clamav/clamav-milter.conf.sample" > "/clamav/etc/clamav/clamav-milter.conf" || \ - exit 1 && \ - ctest -V - -FROM index.docker.io/library/alpine:latest - -LABEL maintainer="ClamAV bugs " - -EXPOSE 3310 -EXPOSE 7357 - -ENV TZ Etc/UTC - -RUN apk add --no-cache \ - fts \ - json-c \ - libbz2 \ - libcurl \ - libltdl \ - libmilter \ - libstdc++ \ - libxml2 \ - ncurses-libs \ - pcre2 \ - tini \ - tzdata \ - zlib \ - && \ - addgroup -S "clamav" && \ - adduser -D -G "clamav" -h "/var/lib/clamav" -s "/bin/false" -S "clamav" && \ - install -d -m 755 -g "clamav" -o "clamav" "/var/log/clamav" - -COPY --from=builder "/clamav" "/" -COPY "./dockerfiles/clamdcheck.sh" "/usr/local/bin/" -COPY "./dockerfiles/docker-entrypoint.sh" "/init" - -HEALTHCHECK --start-period=6m CMD "clamdcheck.sh" - -ENTRYPOINT [ "/init" ] diff --git a/INSTALL.md b/INSTALL.md index c707bf6744..1e8ddabe68 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -58,11 +58,6 @@ configuration options. ## Known Issues / To-do's: -- The newest LLVM version supported is 3.6.2. We ran out of time during 0.104 - development to add support for newer versions of LLVM. - The bytecode interpreter is therefore the default option for the bytecode - signature runtime in this release. - - Complete the `MAINTAINER_MODE` option to generate jsparse files with GPerf. - The test suite will fail to run if you have `pytest` from Python2 installed @@ -93,7 +88,6 @@ For Maintainer-mode only (not recommended): - Flex - Bison - Gperf -- Rust bindgen ### External Library Dependencies @@ -160,7 +154,7 @@ mkdir build && cd build ## CMake Basics -CMake isn't actually a built system. It's a meta-build system. In other words, +CMake isn't actually a build system. It is a meta-build system. In other words, CMake is a build system *generator*. On Unix systems, CMake generates Makefiles by default, just like Autotools. diff --git a/NEWS.md b/NEWS.md index 7e89126b16..c8591d328e 100644 --- a/NEWS.md +++ b/NEWS.md @@ -7,6 +7,13 @@ differ slightly from third-party binary packages. ClamAV 0.105.2 is a critical patch release with the following fixes: +- Moved the ClamAV Docker files for building containers to a new Git repository. + The Docker files are now in https://github.com/Cisco-Talos/clamav-docker. + This change enables us to fix issues with the images and with the supporting + scripts used to publish and update the images without committing changes + directly to files in the ClamAV release branches. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/765 + ## 0.105.1 ClamAV 0.105.1 is a critical patch release with the following fixes: diff --git a/README.Docker.md b/README.Docker.md index 4ea95d78ba..f8a731019a 100644 --- a/README.Docker.md +++ b/README.Docker.md @@ -35,7 +35,19 @@ You can use the `unstable` version (i.e. `clamav/clamav:unstable` or While it is recommended to pull the image from our [Docker Hub registry](https://hub.docker.com/u/clamav/clamav), some may want -to build the image locally instead. All that is needed is: +to build the image locally instead. + +To do this, you will need to get the `Dockerfile` and the supporting `scripts/` +directory from the +[clamav-docker Git repository](https://github.com/Cisco-Talos/clamav-docker). +Be sure to select the correct one for this ClamAV release. + +> _Tip_: For unreleased ClamAV versions, such as when building from the `main` +> git branch, you should select the files from the +> `clamav-docker/clamav/unstable/` directory. + +Place the `Dockerfile` and `scripts/` directory in the ClamAV source directory. +Then you can build the image. For example, run: ```bash docker build --tag "clamav:TICKET-123" . ``` diff --git a/dockerfiles/clamdcheck.sh b/dockerfiles/clamdcheck.sh deleted file mode 100755 index e7e53a65f5..0000000000 --- a/dockerfiles/clamdcheck.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -set -eu - -if [ "${CLAMAV_NO_CLAMD:-}" != "false" ]; then - if [ "$(echo "PING" | nc localhost 3310)" != "PONG" ]; then - echo "ERROR: Unable to contact server" - exit 1 - fi - - echo "Clamd is up" -fi - -exit 0 diff --git a/dockerfiles/docker-entrypoint.sh b/dockerfiles/docker-entrypoint.sh deleted file mode 100755 index c7508f0ec5..0000000000 --- a/dockerfiles/docker-entrypoint.sh +++ /dev/null @@ -1,83 +0,0 @@ -#!/sbin/tini /bin/sh -# SPDX-License-Identifier: GPL-2.0-or-later -# -# Copyright (C) 2021 Olliver Schinagl -# Copyright (C) 2021-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -# -# A beginning user should be able to docker run image bash (or sh) without -# needing to learn about --entrypoint -# https://github.com/docker-library/official-images#consistency - -set -eu - -if [ ! -d "/run/clamav" ]; then - install -d -g "clamav" -m 775 -o "clamav" "/run/clamav" -fi - -# Assign ownership to the database directory, just in case it is a mounted volume -chown -R clamav:clamav /var/lib/clamav - -# run command if it is not starting with a "-" and is an executable in PATH -if [ "${#}" -gt 0 ] && \ - [ "${1#-}" = "${1}" ] && \ - command -v "${1}" > "/dev/null" 2>&1; then - # Ensure healthcheck always passes - CLAMAV_NO_CLAMD="true" exec "${@}" -else - if [ "${#}" -ge 1 ] && \ - [ "${1#-}" != "${1}" ]; then - # If an argument starts with "-" pass it to clamd specifically - exec clamd "${@}" - fi - # else default to running clamav's servers - - # Help tiny-init a little - mkdir -p "/run/lock" - ln -f -s "/run/lock" "/var/lock" - - # Ensure we have some virus data, otherwise clamd refuses to start - if [ ! -f "/var/lib/clamav/main.cvd" ]; then - echo "Updating initial database" - freshclam --foreground --stdout - fi - - if [ "${CLAMAV_NO_CLAMD:-false}" != "true" ]; then - echo "Starting ClamAV" - if [ -S "/run/clamav/clamd.sock" ]; then - unlink "/run/clamav/clamd.sock" - fi - clamd --foreground & - while [ ! -S "/run/clamav/clamd.sock" ]; do - if [ "${_timeout:=0}" -gt "${CLAMD_STARTUP_TIMEOUT:=1800}" ]; then - echo - echo "Failed to start clamd" - exit 1 - fi - printf "\r%s" "Socket for clamd not found yet, retrying (${_timeout}/${CLAMD_STARTUP_TIMEOUT}) ..." - sleep 1 - _timeout="$((_timeout + 1))" - done - echo "socket found, clamd started." - fi - - if [ "${CLAMAV_NO_FRESHCLAMD:-false}" != "true" ]; then - echo "Starting Freshclamd" - freshclam \ - --checks="${FRESHCLAM_CHECKS:-1}" \ - --daemon \ - --foreground \ - --stdout \ - --user="clamav" \ - & - fi - - if [ "${CLAMAV_NO_MILTERD:-true}" != "true" ]; then - echo "Starting clamav milterd" - clamav-milter & - fi - - # Wait forever (or until canceled) - exec tail -f "/dev/null" -fi - -exit 0 diff --git a/dockerfiles/update_db_image.sh b/dockerfiles/update_db_image.sh deleted file mode 100755 index 6dfc2a5612..0000000000 --- a/dockerfiles/update_db_image.sh +++ /dev/null @@ -1,153 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0-or-later -# -# Copyright (C) 2021 Olliver Schinagl -# Copyright (C) 2021-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - -set -eu - -DEF_CLAMAV_DOCKER_IMAGE="clamav/clamav" -DEF_DOCKER_REGISTRY="registry.hub.docker.com" - - -usage() -{ - echo "Usage: ${0} [OPTIONS]" - echo "Update docker images with latest clamav database." - echo " -h Print this usage" - echo " -i Image to use to use (default: '${DEF_CLAMAV_DOCKER_IMAGE}') [CLAMAV_DOCKER_IMAGE]" - echo " -p Password for docker registry (file or string) [CLAMAV_DOCKER_PASSWD]" - echo " -r Registry to use to push docker images to (default: '${DEF_DOCKER_REGISTRY}') [DOCKER_REGISTRY]" - echo " -t Tag(s) to update (default: all tags)" - echo " -u Username for docker registry [CLAMAV_DOCKER_USER]" - echo - echo "Options that can also be passed in environment variables listed between [BRACKETS]." -} - -init() -{ - if [ -z "${clamav_docker_user:-}" ] || - [ -z "${clamav_docker_passwd:-}" ]; then - echo "No username or password set, skipping login" - return - fi - - docker --version - - if [ -f "${clamav_docker_passwd}" ]; then - _passwd="$(cat "${clamav_docker_passwd}")" - fi - echo "${_passwd:-${clamav_docker_passwd}}" | \ - docker login \ - --password-stdin \ - --username "${clamav_docker_user}" \ - "${docker_registry}" -} - -cleanup() -{ - if [ -z "${clamav_docker_user:-}" ]; then - echo "No username set, skipping logout" - return - fi - - docker logout "${docker_registry:-}" -} - -docker_tags_get() -{ - if [ -n "${clamav_docker_tags:-}" ]; then - return - fi - - _tags="$(wget -q -O - "https://${docker_registry}/v1/repositories/${clamav_docker_image}/tags" | - sed -e 's|[][]||g' -e 's|"||g' -e 's| ||g' | \ - tr '}' '\n' | \ - sed -n -e 's|.*name:\(.*\)$|\1|p')" - - for _tag in ${_tags}; do - if [ "${_tag%%_base}" != "${_tag}" ]; then - clamav_docker_tags="${_tag} ${clamav_docker_tags:-}" - fi - done -} - -clamav_db_update() -{ - if [ -z "${clamav_docker_tags:-}" ]; then - echo "No tags to update with, cannot continue." - exit 1 - fi - - for _tag in ${clamav_docker_tags}; do - { - echo "FROM ${docker_registry}/${clamav_docker_image}:${_tag}" - echo "RUN freshclam --foreground --stdout && rm /var/lib/clamav/freshclam.dat || rm /var/lib/clamav/mirrors.dat || true" - } | docker image build --pull --rm --tag "${docker_registry}/${clamav_docker_image}:${_tag%%_base}" - - docker image push "${docker_registry}/${clamav_docker_image}:${_tag%%_base}" - done -} - -main() -{ - _start_time="$(date "+%s")" - - while getopts ":hi:p:r:t:u:" _options; do - case "${_options}" in - h) - usage - exit 0 - ;; - i) - clamav_docker_image="${OPTARG}" - ;; - p) - clamav_docker_passwd="${OPTARG}" - ;; - r) - docker_registry="${OPTARG}" - ;; - t) - clamav_docker_tag="${OPTARG}" - ;; - u) - clamav_docker_user="${OPTARG}" - ;; - :) - e_err "Option -${OPTARG} requires an argument." - exit 1 - ;; - ?) - e_err "Invalid option: -${OPTARG}" - exit 1 - ;; - esac - done - shift "$((OPTIND - 1))" - - clamav_docker_image="${clamav_docker_image:-${CLAMAV_DOCKER_IMAGE:-${DEF_CLAMAV_DOCKER_IMAGE}}}" - clamav_docker_passwd="${clamav_docker_passwd:-${CLAMAV_DOCKER_PASSWD:-}}" - clamav_docker_tag="${clamav_docker_tag:-}" - clamav_docker_user="${clamav_docker_user:-${CLAMAV_DOCKER_USER:-}}" - docker_registry="${docker_registry:-${DOCKER_REGISTRY:-${DEF_DOCKER_REGISTRY}}}" - - init - - docker_tags_get - clamav_db_update - - echo "===============================================================================" - echo "Build report for $(date -u)" - echo - echo "Updated database for image tags ..." - echo "${clamav_docker_tags:-}" - echo - echo "... successfully in $(($(date "+%s") - _start_time)) seconds" - echo "===============================================================================" - - cleanup -} - -main "${@}" - -exit 0