feat(clamav): clamav arm64 support using debian based image #4483
Conversation
szaimen
added
3. to review
jogerj
force-pushed
the
feature/clamav-arm64
branch
from
f930949
to
1b4fa60
Compare
Signed-off-by: Jonathan Joewono <[email protected]> Signed-off-by: jogerj <[email protected]> Signed-off-by: Jonathan Joewono <[email protected]>
Signed-off-by: Jonathan Joewono <[email protected]> Signed-off-by: jogerj <[email protected]> Signed-off-by: Jonathan Joewono <[email protected]>
jogerj
force-pushed
the
feature/clamav-arm64
branch
from
1b4fa60
to
31b5ba6
Compare
|
I would maybe add |
|
Also |
Signed-off-by: Jonathan Joewono <[email protected]>
Signed-off-by: Jonathan Joewono <[email protected]>
|
hadolint reports DL3006 but it's a false positive due to arg-generated image name. See hadolint/hadolint#979 we can fix this with # hadolint ignore=DL3006
FROM build-${TARGETARCH}
BuildKit should already resolve this value so we don't need to redefine this. docker/buildx#574 (comment) TODOSo for amd64, it will retain its current behavior with alpine images but for arm64 this will be based off debian image
|
Signed-off-by: Jonathan Joewono <[email protected]>
|
all-in-one/php/templates/containers.twig Line 600 in 9736a77 |
didn't know that, but for RUN steps it seems to be needed |
|
Honestly, I am still not sure about this. I am wondering if we should rather go the Mailcow way: https://github.com/mailcow/mailcow-dockerized/blob/master/data/Dockerfiles/clamd/Dockerfile because of security and size concerns. However this would put the maintenance on our burden. So both possibilities are not great imho... |
yes I would also prefer downloading clamav from alpine, but that would remove version pinning |
mailcow is GPLv3 licensed -> should be compatible to Nextcloud if we choose to reuse and modify it. |
it seems adding this breaks a different hadolint rule DL3029, although I'm not sure if this should be added as exception. |
Signed-off-by: Jonathan Joewono <[email protected]>
Signed-off-by: Jonathan Joewono <[email protected]>
jogerj
force-pushed
the
feature/clamav-arm64
branch
from
dee73ed
to
f38cd15
Compare
can be ignored |
Signed-off-by: Jonathan Joewono <[email protected]>
Signed-off-by: Jonathan Joewono <[email protected]>
|
It seems that clamav-docker maintainers refuse to add alpine arm64 images. If we fully commit to just use clamav-debian images, the changes would've been very minimal. Size delta is ~60MB while security wise it's just as good imo. # syntax=docker/dockerfile:latest
# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.3/debian/Dockerfile
FROM clamav/clamav-debian:1.3.0-24
COPY clamav.conf /tmp/clamav.conf
# DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
# hadolint ignore=DL3008
RUN set -ex; \
apt-get update; \
apt-get install --no-install-recommends -y \
tzdata \
; \
rm -vrf /var/lib/apt/lists/*; \
cat /tmp/clamav.conf >> /etc/clamav/clamd.conf; \
rm /tmp/clamav.conf; \
mkdir -p /var/run/clamav /run/lock; \
chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
VOLUME /var/lib/clamav
USER clamav
LABEL com.centurylinklabs.watchtower.enable="false"P.S. I experienced issues when building the image on my Windows machine. I would recommend adding |
szaimen
added
2. developing
Solves #4223
Implementation based on docker/buildx#805 (comment)
edit: sorry for force pushes, not used to using DCO and needed a couple retries