How can the official image be included as a layer in another dockerfile and how can clamav be executed?

[red8888]

Im trying to run clamav and an application that connects to clamav in the same container.

My docker file looks like this to start:

FROM me.com/myapp AS build
WORKDIR /app
RUN build myapp

FROM clamav/clamav AS clamav

I started and execed in to see if I could run clamav. I ran /init but it is not working:

/init 
[WARN  tini (10)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
Socket for clamd not found yet, retrying (109/1800) ...

I looked at the entrypoint but I'm unclear on how to manually start clamav in the container

[val-ms]

Sorry I don't have an answer for you. I haven't tested this myself. Does anyone else have experience using the clamav/clamav image as a base image?

[dasMulli]

(sorry for non-answer, just sharing experiences and pain).

I can't talk about using the same container but I highly suggest composing an application of multiple running containers instead of packing too many components into one container/image. Worst case is when one of the tech stacks / components switches base image (e.g. different OS - that broke me once and made me regret using a database image as base layer).

I have a fairly good success using it in docker-compose for local development/testing together with application containers and running multiple services and deploying it to kubernetes via a helm chart (with the exception that it requires PodSecurityPolicy exceptions for clusters with a restrictive default policy since the image is not able to run as non-root user). In Kubernetes one could also create a Pod with multiple containers in it that have access to a shared volume for disk usage, this is what you would use for scanning e.g. data directories. (we however expose the TCP interface as a service for other workloads in the cluster that submit files to it)

[mko-x]

I agree with @dasMulli

Clamav itself should run as an extra container and you may want to use it via a proxy.

What is your usecase?

[jfbloom22]

I am running into a similar issue. In my case I am trying to deploy to Heroku. Heroku logs show this error:

2022-09-19T19:07:30.301586+00:00 heroku[web.1]: Starting process with command `/init` 2022-09-19T19:07:31.274660+00:00 app[web.1]: [WARN tini (3)] Tini is not running as PID 1 and isn't registered as a child subreaper. 2022-09-19T19:07:31.274670+00:00 app[web.1]: Zombie processes will not be re-parented to Tini, so zombie reaping won't work. 2022-09-19T19:07:31.274670+00:00 app[web.1]: To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1. 2022-09-19T19:07:31.283544+00:00 app[web.1]: install: unknown user clamav

Update: I ended up switching to deploy on Linode. Fired up a box with docker and then for those who might benefit from an example, I ran:

docker pull clamav/clamav:0.105.1
docker volume create clam_db
docker run --interactive  --tty --restart=always --name "clam_container_01" --publish 3310:3310 \
    --publish 7357:7357 \
 --mount source=clam_db,target=/var/lib/clamav \
    --env 'CLAMAV_NO_FRESHCLAMD=true' \
 clamav/clamav:0.105.1

This runs the clamav docker container with ports 7357 and 3310 exposed. It sets the docker container to automatically restart when the Linode is restarted. And it keeps the virus definitions in a volume called clam_db