Mailing List Archive

Possible to use clamdscan to scan a file on the clamd host?
Hello,

I've recently been experimenting with using the recently built ClamAV Docker image in a Kubernetes deployment.
We want to utilize the ClamAV container in our deployment alongside a basic server application running in a separate pod.
We think the ideal pattern would be to have the ClamAV container running clamd in its own pod with its client running in a separate pod. The idea would be to


1. Mount a volume for scanning into both the ClamAV container and the client container
2. Package clamdscan in the Docker image for the client pod
3. Whenever a file is uploaded to the client pod:
* Move that file to the mounted volume (which is mounted in both the ClamAV container and the client container)
* Use clamdscan from the client container to remotely tell clamd in the ClamAV container to scan the new file in the shared volume

At the moment, it seems that whenever I try to use clamdscan to tell clamd to scan the volume contents from its container, clamdscan simply defaults to streaming the file contents from the client container to the ClamAV container.
I would assume that if no mode is specified, clamdscan will default to streaming the file contents to the TCP port if it's on a remote "host" (in this case, a separate pod).

Preferably, we would like to use clamdscan to tell clamd to scan the mounted volume contents from its container, not through a stream from the client. Is that possible?

Hopefully this question is appropriate for this mailing list. If not, I'll post it to GitHub. Thanks!

Regards,
Nathan Choate
Re: Possible to use clamdscan to scan a file on the clamd host? [ In reply to ]
Thanks for the quick response!

My apologies, I wasn't trying to get too hung up on the details of the deployment. I was just trying to give some sort of background as to why I'm asking this question.
In short, the main question I was hoping to get clarification on was:

If clamdscan is on Host A and clamd is on Host B, can you configure clamdscan to tell clamd to scan a file on Host B?

However, since you're interested and you brought up some good points, let me try and address them.

> It isn't obvious to me that a "networked" volume is better than streaming the
> file to the clamd VM/server/pod/host.

The deployment will be in AWS, and the mounted volume would be from EFS.
My understanding of EFS is that while it can still be considered a "network mounted volume", it's about as close as you can get to having a volume on the physical machine while still being "network mounted" (i.e. the I/O performance on an EFS mount is comparable to a volume on the physical machine).

> It isn't obvious to me that clamd would have privilege to access the file as it
> may not be running as root and even root@clamdserver may not have
> privileged access to the volume.

The users running the clamd pod and the file server (client) pod would have the same UID:GID combination.
When it comes to Docker and Kubernetes mounts, I believe that's all that is necessary to ensure that clamd would have proper permissions on the files that the file server pod would create in the shared volume.
However, we're still in the early, experimental stages, so we would need to confirm that.

> How do you ensure that the two pods have synchronized views of the file
> (especially as it is new) ?

Kubernetes should be able to handle this pretty well.
Worst case, we could implement some retry logic if we get an error from clamd when we don't expect to.

Thanks again!

P.S. Please let me know if the format of this response email doesn't follow mailing list etiquette. This is my first time posting to such a list.

Regards,
Nathan Choate


> -----Original Message-----
> From: Andrew C Aitchison <andrew@aitchison.me.uk>
> Sent: Friday, September 10, 2021 9:54 AM
> To: Choate, Nathan via clamav-users <clamav-users@lists.clamav.net>
> Cc: Choate, Nathan (DI SW LCS CF SEPL BS SM)
> <nathan.choate@siemens.com>
> Subject: Re: [clamav-users] Possible to use clamdscan to scan a file on the
> clamd host?
>
> On Fri, 10 Sep 2021, Choate, Nathan via clamav-users wrote:
>
> > Hello,
> >
> > I've recently been experimenting with using the recently built ClamAV
> Docker image in a Kubernetes deployment.
> > We want to utilize the ClamAV container in our deployment alongside a
> basic server application running in a separate pod.
> > We think the ideal pattern would be to have the ClamAV container running
> clamd in its own pod with its client running in a separate pod.
>
> I agree that having your application and clamd running in different pods is a
> good idea.
>
> Beyond that, this is an interesting questionthat I cannot really answer and
> only have more questions.
>
> > The idea would be to
> >
> > 1. Mount a volume for scanning into both the ClamAV container and
> > the client container 2. Package clamdscan in the Docker image for
> > the client pod 3. Whenever a file is uploaded to the client pod:
> > * Move that file to the mounted volume (which is mounted in both the
> ClamAV container and the client container)
> > * Use clamdscan from the client container to remotely tell clamd in the
> ClamAV container to scan the new file in the shared volume
> >
> > At the moment, it seems that whenever I try to use clamdscan to tell clamd
> to scan the volume contents from its container, clamdscan simply defaults to
> streaming the file contents from the client container to the ClamAV
> container.
> > I would assume that if no mode is specified, clamdscan will default to
> streaming the file contents to the TCP port if it's on a remote "host" (in this
> case, a separate pod).
> >
> > Preferably, we would like to use clamdscan to tell clamd to scan the
> mounted volume contents from its container, not through a stream from the
> client. Is that possible?
>
> It isn't obvious to me that a "networked" volume is better than streaming the
> file to the clamd VM/server/pod/host.
>
> It isn't obvious to me that clamd would have privilege to access the file as it
> may not be running as root and even root@clamdserver may not have
> privileged access to the volume.
>
> How do you ensure that the two pods have synchronized views of the file
> (especially as it is new) ?
>
> clamd has some caching (I do not know the details) and IIUC can optimize
> scanning the same file from clients on multiple hosts.
>
> I don't really understand the point of moving (or even copying) the file to a
> common volume. Since it is a new file (at least as seen by the shared volume)
> the bits will have to be sent from the client to the file server and then to the
> clamd server; streaming the file only requires one transfer and two logical
> machines.
>
>
> --
> Andrew C. Aitchison Kendal, UK
> andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Possible to use clamdscan to scan a file on the clamd host? [ In reply to ]
Choate, Nathan via clamav-users wrote:
> Hello,
>
> I?ve recently been experimenting with using the recently built ClamAV
> Docker image in a Kubernetes deployment.
>
> We want to utilize the ClamAV container in our deployment alongside a
> basic server application running in a separate pod.
>
> We think the ideal pattern would be to have the ClamAV container running
> clamd in its own pod with its client running in a separate pod. The idea
> would be to
>
> 1. Mount a volume for scanning into both the ClamAV container and the
> client container
> 2. Package clamdscan in the Docker image for the client pod
> 3. Whenever a file is uploaded to the client pod:
> 1. Move that file to the mounted volume (which is mounted in both
> the ClamAV container and the client container)
> 2. Use clamdscan from the client container to remotely tell clamd
> in the ClamAV container to scan the new file in the shared volume
>
> At the moment, it seems that whenever I try to use clamdscan to tell
> clamd to scan the volume contents from its container, clamdscan simply
> defaults to streaming the file contents from the client container to the
> ClamAV container.
>
> I would assume that if no mode is specified, clamdscan will default to
> streaming the file contents to the TCP port if it?s on a remote ?host?
> (in this case, a separate pod).
>
> Preferably, we would like to use clamdscan to tell clamd to scan the
> mounted volume contents from its container, not through a stream from
> the client. Is that possible?

clamdscan can either pass a file descriptor to clamd (in which case
clamdscan must be "local" to clamd), or it can stream the file over a
socket.

There's no mechanism I've ever seen a hint of to tell a remote clamd to
scan some arbitrary file on its local filesystem.

Since you're using containers instead of full VMs there may be some dark
art to allow passing a file descriptor across containers, but IMO at
first thought that seems to defeat the whole point of using them.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Possible to use clamdscan to scan a file on the clamd host? [ In reply to ]
Hi there,

On Fri, 10 Sep 2021, Choate, Nathan via clamav-users wrote:

> ... we would like to use clamdscan to tell clamd to scan the
> mounted volume contents from its container, not through a stream from the
> client. Is that possible?

Yes, using the clamd API. Here's a cut-n-paste of me doing exactly
that on our clamd server by connecting to it from my laptop:

8<----------------------------------------------------------------------
laptop3:~$ >>> telnet 192.168.44.7 3313
Trying 192.168.44.7...
Connected to 192.168.44.7.
Escape character is '^]'.
SCAN /home/ged/tempfile
/home/ged/tempfile: OK
Connection closed by foreign host.
8<----------------------------------------------------------------------

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Possible to use clamdscan to scan a file on the clamd host? [ In reply to ]
> 8<----------------------------------------------------------------------
> laptop3:~$ >>> telnet 192.168.44.7 3313
> Trying 192.168.44.7...
> Connected to 192.168.44.7.
> Escape character is '^]'.
> SCAN /home/ged/tempfile
> /home/ged/tempfile: OK
> Connection closed by foreign host.
> 8<----------------------------------------------------------------------
>

This is exactly what I needed. Thanks for the help!

Regards,
Nathan Choate


> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> G.W. Haywood via clamav-users
> Sent: Friday, September 10, 2021 2:32 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
> Subject: Re: [clamav-users] Possible to use clamdscan to scan a file on the
> clamd host?
>
> Hi there,
>
> On Fri, 10 Sep 2021, Choate, Nathan via clamav-users wrote:
>
> > ... we would like to use clamdscan to tell clamd to scan the mounted
> > volume contents from its container, not through a stream from the
> > client. Is that possible?
>
> Yes, using the clamd API. Here's a cut-n-paste of me doing exactly that on
> our clamd server by connecting to it from my laptop:
>
> 8<----------------------------------------------------------------------
> laptop3:~$ >>> telnet 192.168.44.7 3313
> Trying 192.168.44.7...
> Connected to 192.168.44.7.
> Escape character is '^]'.
> SCAN /home/ged/tempfile
> /home/ged/tempfile: OK
> Connection closed by foreign host.
> 8<----------------------------------------------------------------------
>
> HTH
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml