[pve-devel] applied: [PATCH dab-pve-appliances 1/2] pmg: include clamav cvd files in template
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Jan 6 09:56:59 CET 2020
Am 1/2/20 um 5:53 PM schrieb Stoiko Ivanov:
> pmg depends on clamav, which does not start upon first boot without the
> presence of it's virus database files.
>
> By downloading them on the host and shipping them with the template
> clamav-daemon starts up successfully. Since clamav-freshclam will
> start downloading any updated files upon booting and notify clamav-daemon
> the timeframe where the appliance runs with older virus defifinions is rather
> short.
>
> Additionally this follows the way we ship the cvd files in the ISO image.
>
> Downloading happens outside of the container, since it does not have access to
> the network.
>
> Tested by creating an image, starting a container from that image and
> verifying that clamav-daemon starts up upon first boot.
>
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> debian-10.0-pmg-64/Makefile | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/debian-10.0-pmg-64/Makefile b/debian-10.0-pmg-64/Makefile
> index 9386972..b2ff0b0 100644
> --- a/debian-10.0-pmg-64/Makefile
> +++ b/debian-10.0-pmg-64/Makefile
> @@ -1,6 +1,8 @@
> BASEDIR:=$(shell dab basedir)
>
> -all: info/init_ok
> +CVD_FILES:=main.cvd bytecode.cvd daily.cvd safebrowsing.cvd
> +
> +all: info/init_ok ${CVD_FILES}
> dab bootstrap --minimal
> sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin yes/' ${BASEDIR}/etc/ssh/sshd_config
> dab exec /bin/systemctl enable systemd-timesyncd.service
> @@ -8,6 +10,7 @@ all: info/init_ok
> dab install libdbi-perl perl-openssl-defaults libcgi-pm-perl proxmox-mailgateway-container gpg
> rm ${BASEDIR}/proxmox_install_mode
> sed -i '/^deb.*\.proxmox\.com\/.*$$/d;$${/^$$/d;}' ${BASEDIR}/etc/apt/sources.list
> + cp ${CVD_FILES} ${BASEDIR}/var/lib/clamav/
> dab finalize
>
> info/init_ok: dab.conf
> @@ -17,9 +20,16 @@ info/init_ok: dab.conf
> .PHONY: clean
> clean:
> dab clean
> + rm -f ${CVD_FILES}
> rm -f *~
>
> .PHONY: dist-clean
> dist-clean:
> dab dist-clean
> + rm -f ${CVD_FILES}
> rm -f *~
> +
> +.PHONY: ${CVD_FILES}
> +${CVD_FILES}:
> + curl -L --silent --show-error --fail --time-cond $@ -o $@.tmp http://database.clamav.net/$@
> + [ -f $@.tmp ] && mv $@.tmp $@ || true
>
applied, with small addition to commit message about the time-cond check for newer file mtime on
server and thus conditional move.
I mean we normally just use an explicit update phony target, but this is fine too,
for getting an up-to-date image even nicer.
Thanks!
More information about the pve-devel
mailing list