Non-root support

[robaca]

We want to use the docker container in non-root mode with alternative uid/gid. It would be great if the docker image would support that. Currently it seems that it simply cannot apply env vars when started:

$ podman run --rm -it --user 100:101 ajilaag/clamav-rest:20240511

sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
Starting clamav rest bridge...

[davosian]

Hi @robaca, I created a build with a non-root user. Can you test it?

docker pull ajilaag/clamav-rest:sha-b49b795

[robaca]

This image does not start clamav at all:

sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
sed: can't create temp file '/etc/clamav/clamd.confXXXXXX': Permission denied
...
tee: /var/log/clamav/clamav.log: Permission denied
ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permissions!).
ERROR: Can't initialize the internal logger
Starting clamav rest bridge
Connecting to clamd on tcp://localhost:3310
clamD not running, waiting times [1]
ERROR: Can't save PID to file /run/clamav/freshclam.pid: Permission denied
clamD not running, waiting times [2]
clamD not running, waiting times [3]
clamD not running, waiting times [4]
...
Error getting clamd version: dial tcp [::1]:3310: connect: connection refused

As podman is docker cli compatible, you should be able to test it even without podman installed.

[davosian]

I can confirm that this image did not work at all. I removed the latest build for this reason. Unfortunately, I do not have the capacity to explore this further at the moment, but please feel free to submit a PR. I have created the branch https://github.com/ajilach/clamav-rest/tree/44-non-root-support if you want to work on the updated Dockerfile.

[robaca]

Hi @davosian, I created a draft PR #45 with my changes. The resulting docker image works successfully in our environment with a readonly filesystem and mounted volumes for writing (see docker-compose-nonroot.yml example).

[davosian]

As of May 20th, the builds include non-root support. Thanks for the PR, @robaca