Seafile and Virus scan with Clamav

Hey everybody,
I’ve been trying to bind docker clamav in the seafile container. I put the two containers together with a docker-compose.yml. But now I’m unsure which command to put in the seahub_settings under virus scan.

Can anyone give me a hint?

Because Seafile need to call clamav program, it is not possible to run the clamav in another container while using it from Seafile container.

The recommended way is to install calmav in Seafile container and build a new Docker image.

I am also investigating this, as running a separate clamd container would allow to run virus-scans as regular (non-root) user, along with other advantages that come with microservices.

ClamAV architecture should allow for this microservice approach, although i did not get it to work with seafile; the way i (tried to) run it is as follows:

On docker-compose.yml, i added another container av:

services:
  av:
    image: mailu/clamav
    container_name: seafile-clamav
    networks:
      - seafile-net

Also extended seafile image, to include clamdscan package, with a simple Dockerfile:

FROM docker.seadrive.org/seafileltd/seafile-pro-mc:latest
RUN apt update && apt install -y clamdscan

Created a file /shared/seafile/conf/clamd.remote.conf (path within seafile container):

TCPSocket 3310
TCPAddr av

Appended the virus_scan section in /shared/seafile/conf/seafile.conf:

[virus_scan]
scan_command = clamdscan -c /shared/seafile/conf/clamd.remote.conf --fdpass --stream
virus_code = 1
nonvirus_code = 0
scan_interval = 5
#scan_size_limit = (size limit for files to be scanned) in MB
scan_size_limit = 20
#scan_skip_ext = (a comma (',') separated list of file extensions to be ignored)
#scan_skip_ext = .bmp, .gif, .ico, .png, .jpg, .mp3, .mp4, .wav, .avi, .rmvb, .mkv
#(number of concurrent threads for scan, one thread for one file, default to 4)
threads = 2

I have verified that this clamav architecture is functioning, but i cannot get it to work with seafile. When running a clamdscan from the command line, it works fine, e.g.:

$ clamdscan -c /shared/seafile/conf/clamd.remote.conf /etc/group
/etc/group: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.014 sec (0 m 0 s)

When i attempt to run pro/pro.py virsu_scan command, i get error messages such as:

[10/07/2019 13:45:11] [WARNING] Virus scan for file /seafile-tutorial.doc encounter error: [Errno 2] No such file or directory.
[10/07/2019 13:45:11] [DEBUG] File /seafile-tutorial.doc virus scan by clamdscan -c /shared/seafile/conf/clamd.remote.conf: Failed.

Any ideas on how to proceed with this?

What is fdpass supposed to do?

For me it looks like the file is searched for in the wrong path

Hi,

Thank you for the reply.

My initial test was in the simplest form, ie:

scan_command = clamdscan -c /shared/seafile/conf/clamd.remote.conf

Then i tried different permutations of the command, including one or both of these command-line options (–fdpass and/or --stream), just in case they would help. Alas, they do not seem to make a difference.

Actually the error log provided is from an attempt without these two command-line flags (–stream and --fdpass).

BR,
George

I finally got it to work, simply by changing the scan_command to plain clamdscan (without the options) and moving /shared/seafile/conf/clamd.remote.conf to /etc/clamav/clamd.conf.

Clamd now runs on the av container, completely seperate from the seafile container, where only clamdscan is installed.

3 Likes

Old but gold, sorry for hijacking this thread. nice that i found it here and thanks to @g30
should be noted in documentation