[pve-devel] applied: [PATCH dab-pve-appliances 1/2] pmg: include clamav cvd files in template

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Jan 6 09:56:59 CET 2020


Am 1/2/20 um 5:53 PM schrieb Stoiko Ivanov:
> pmg depends on clamav, which does not start upon first boot without the
> presence of it's virus database files.
> 
> By downloading them on the host and shipping them with the template
> clamav-daemon starts up successfully. Since clamav-freshclam will
> start downloading any updated files upon booting and notify clamav-daemon
> the timeframe where the appliance runs with older virus defifinions is rather
> short.
> 
> Additionally this follows the way we ship the cvd files in the ISO image.
> 
> Downloading happens outside of the container, since it does not have access to
> the network.
> 
> Tested by creating an image, starting a container from that image and
> verifying that clamav-daemon starts up upon first boot.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  debian-10.0-pmg-64/Makefile | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/debian-10.0-pmg-64/Makefile b/debian-10.0-pmg-64/Makefile
> index 9386972..b2ff0b0 100644
> --- a/debian-10.0-pmg-64/Makefile
> +++ b/debian-10.0-pmg-64/Makefile
> @@ -1,6 +1,8 @@
>  BASEDIR:=$(shell dab basedir)
>  
> -all: info/init_ok
> +CVD_FILES:=main.cvd bytecode.cvd daily.cvd safebrowsing.cvd
> +
> +all: info/init_ok ${CVD_FILES}
>  	dab bootstrap --minimal
>  	sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin yes/' ${BASEDIR}/etc/ssh/sshd_config
>  	dab exec /bin/systemctl enable systemd-timesyncd.service
> @@ -8,6 +10,7 @@ all: info/init_ok
>  	dab install libdbi-perl perl-openssl-defaults libcgi-pm-perl proxmox-mailgateway-container gpg
>  	rm ${BASEDIR}/proxmox_install_mode
>  	sed -i '/^deb.*\.proxmox\.com\/.*$$/d;$${/^$$/d;}' ${BASEDIR}/etc/apt/sources.list
> +	cp ${CVD_FILES} ${BASEDIR}/var/lib/clamav/
>  	dab finalize
>  
>  info/init_ok: dab.conf
> @@ -17,9 +20,16 @@ info/init_ok: dab.conf
>  .PHONY: clean
>  clean:
>  	dab clean
> +	rm -f ${CVD_FILES}
>  	rm -f *~
>  
>  .PHONY: dist-clean
>  dist-clean:
>  	dab dist-clean
> +	rm -f ${CVD_FILES}
>  	rm -f *~
> +
> +.PHONY: ${CVD_FILES}
> +${CVD_FILES}:
> +	curl -L --silent --show-error --fail  --time-cond $@ -o $@.tmp http://database.clamav.net/$@
> +	[ -f $@.tmp ] && mv $@.tmp $@ || true
> 

applied, with small addition to commit message about the time-cond check for newer file mtime on
server and thus conditional move.
I mean we normally just use an explicit update phony target, but this is fine too,
for getting an up-to-date image even nicer.
Thanks!



More information about the pve-devel mailing list