search

truenas / apps

GNU Lesser General Public License v3.0
73 stars 22 forks source link

ClamAV No Longer Mounts Additional Storage #863

Closed ryant1911 closed 1 day ago

ryant1911 commented 3 days ago

I noticed today that my ClamAV scans were no longer scanning any files. After investigating further, I found that the additional storage options I setup are no longer being mounted in the container. The form choices (i.e. ClamAV Signature Database Storage, ClamAV Scan Directory Storage) mount inside the container just fine. I'm not exactly sure when this changed but I know did not have this issue on last week. I'm currently running Electric Eel 24.10.0.2 and ClamAV 1.2.3.

Here are the mounts from inside the container via docker exec -it ix-clamav-clamav-1 df -h:

root@Truenas[/mnt/.ix-apps]# docker exec -it ix-clamav-clamav-1 df -h
Filesystem                Size      Used Available Use% Mounted on
overlay                   4.1T      7.1G      4.1T   0% /
tmpfs                    64.0M         0     64.0M   0% /dev
shm                      64.0M         0     64.0M   0% /dev/shm
Vault15-SSD/ix-apps/app_mounts/clamav/scandir
                          4.1T    128.0K      4.1T   0% /scandir
Vault15-SSD/ix-apps/docker
                          4.1T      7.1G      4.1T   0% /tmp
Vault15-SSD/ix-apps/docker
                          4.1T      7.1G      4.1T   0% /etc/resolv.conf
Vault15-SSD/ix-apps/docker
                          4.1T      7.1G      4.1T   0% /etc/hostname
Vault15-SSD/ix-apps/docker
                          4.1T      7.1G      4.1T   0% /etc/hosts
Vault15-SSD/ix-apps/app_mounts/clamav/sigdb
                          4.1T    275.1M      4.1T   0% /var/lib/clamav
tmpfs                    62.2G         0     62.2G   0% /proc/asound
tmpfs                    62.2G         0     62.2G   0% /proc/acpi
tmpfs                    64.0M         0     64.0M   0% /proc/kcore
tmpfs                    64.0M         0     64.0M   0% /proc/keys
tmpfs                    64.0M         0     64.0M   0% /proc/timer_list
tmpfs                    62.2G         0     62.2G   0% /sys/firmware
tmpfs                    62.2G         0     62.2G   0% /sys/devices/virtual/powercap

This is the clamav section of user_config.yaml:

clamav:
  clamav:
    additional_envs: []
    clamd_startup_timeout: 1800
    disable_clamd: false
    disable_freshclamd: false
    disable_milterd: true
    freshclamd_checks: 1
  ix_certificate_authorities: {}
  ix_certificates: {}
  ix_context:
    app_metadata:
      app_version: 1.1.2-2
      capabilities:
      - description: ClamAV is able to chown files.
        name: CHOWN
      - description: ClamAV is able bypass permission checks for it's sub-processes.
        name: FOWNER
      - description: ClamAV is able to bypass permission checks.
        name: DAC_OVERRIDE
      - description: ClamAV is able to set group ID for it's sub-processes.
        name: SETGID
      - description: ClamAV is able to set user ID for it's sub-processes.
        name: SETUID
      categories:
      - security
      description: ClamAV is an open source (GPLv2) anti-virus toolkit.
      home: https://www.clamav.net/
      host_mounts: []
      icon: https://media.sys.truenas.net/apps/clamav/icons/icon.png
      keywords:
      - anti-virus
      - clamav
      last_update: '2024-11-08 17:16:20'
      lib_version: 2.0.14
      lib_version_hash: f087629cfb83792ce81c34d5a18ccc4a92cc07de00db507916ab0f7ee4492645
      maintainers:
      - email: dev@ixsystems.com
        name: truenas
        url: https://www.truenas.com/
      name: clamav
      run_as_context:
      - description: ClamAV runs as root user.
        gid: 0
        group_name: root
        uid: 0
        user_name: root
      screenshots: []
      sources:
      - https://docs.clamav.net/
      - https://www.clamav.net/
      title: ClamAV
      train: community
      version: 1.2.3
    app_name: clamav
    is_install: false
    is_rollback: false
    is_update: true
    is_upgrade: false
    operation: UPDATE
    upgrade_metadata: {}
  ix_volumes:
    etc_clamav: /mnt/.ix-apps/app_mounts/clamav/etc_clamav
    scandir: /mnt/.ix-apps/app_mounts/clamav/scandir
    sigdb: /mnt/.ix-apps/app_mounts/clamav/sigdb
  labels: []
  network:
    clamd_port: 30005
    host_network: false
    milterd_port: 30006
  release_name: clamav
  resources:
    limits:
      cpus: 2
      memory: 4096
  storage:
    additional_storage:
    - ix_volume_config:
        acl_enable: false
        dataset_name: etc_clamav
      mount_path: /etc/clamav
      read_only: false
      type: ix_volume
    - host_path_config:
        acl_enable: false
        path: /mnt/Vault15
      mount_path: /scandir/Vault15
      read_only: false
      type: host_path
    - host_path_config:
        acl_enable: false
        path: /mnt/Vault15-SSD
      mount_path: /scandir/Vault15-SSD
      read_only: false
      type: host_path
    scandir:
      ix_volume_config:
        acl_enable: false
        dataset_name: scandir
      type: ix_volume
    sigdb:
      ix_volume_config:
        acl_enable: false
        dataset_name: sigdb
      type: ix_volume

Thanks in advance for any assistance here. I'm open to other suggestions or troubleshooting to try. It's quite possible it's something I've done, but I'm at a lost as to what that could be.

ryant1911 commented 3 days ago

Again, I'm not 100% sure but I suspect my problem might have been introduced with #749 / #812. I see that was pushed 4 days ago. I also see ix-dev/community/clamav/templates/docker-compose.yaml was changed quite a bit as part of the commits.

ryant1911 commented 3 days ago

Looking at some of the other apps docker-compose.yaml templates, I think we need something similar to this code:

{% for store in values.storage.additional_storage %}
  {% do c1.add_storage(store.mount_path, store) %}
{% endfor %}

When I add that manually to the /mnt/.ix-apps/truenas_catalog/trains/community/clamav/1.2.3/templates/docker-compose.yaml my container deploys successfully with additional storage mounts present.

root@Truenas[/mnt/.ix-apps]# docker exec -it ix-clamav-test-clamav-1 df -h
Filesystem                Size      Used Available Use% Mounted on
overlay                   4.1T      7.1G      4.1T   0% /
tmpfs                    64.0M         0     64.0M   0% /dev
shm                      64.0M         0     64.0M   0% /dev/shm
Vault15-SSD/ix-apps/app_mounts/clamav-test/scandir
                          4.1T    128.0K      4.1T   0% /scandir
Vault15-SSD/ix-apps/docker
                          4.1T      7.1G      4.1T   0% /tmp
Vault15-SSD/ix-apps/app_mounts/clamav-test/etc_clamav
                          4.1T    256.0K      4.1T   0% /etc/clamav
Vault15                  35.2T      1.0M     35.2T   0% /mnt/vault15
Vault15/NFS              35.2T    512.0K     35.2T   0% /mnt/vault15/NFS
Vault15/NVR              35.2T     20.5M     35.2T   0% /mnt/vault15/NVR
Vault15/Archive          35.2T    384.0K     35.2T   0% /mnt/vault15/Archive
Vault15/Temp             35.2T    384.0K     35.2T   0% /mnt/vault15/Temp
Vault15-SSD               4.1T    384.0K      4.1T   0% /scandir/vault15-ssd
Vault15-SSD/Private       4.1T      6.3G      4.1T   0% /scandir/vault15-ssd/Private
Vault15-SSD/Public        4.2T     48.9G      4.1T   1% /scandir/vault15-ssd/Public
tmpfs                    62.2G         0     62.2G   0% /proc/asound
tmpfs                    62.2G         0     62.2G   0% /proc/acpi
tmpfs                    64.0M         0     64.0M   0% /proc/kcore
tmpfs                    64.0M         0     64.0M   0% /proc/keys
tmpfs                    64.0M         0     64.0M   0% /proc/timer_list
tmpfs                    62.2G         0     62.2G   0% /sys/firmware
tmpfs                    62.2G         0     62.2G   0% /sys/devices/virtual/powercap
ryant1911 commented 1 day ago

Thanks @stavros-k !