From a51db1bdf59477c7ba530fb1822a53348747d5c8 Mon Sep 17 00:00:00 2001 From: nadeem Date: Wed, 29 Nov 2023 06:21:42 +0000 Subject: [PATCH 1/2] Updating ClamAV configuration: Updating Config path to /usr/loacl/etc This is reuqired for the updated Clamav engine installed: https://github.com/alphagov/asset-manager/pull/1248 Updating freshclam config: Adding Database owner and Database directory location https://trello.com/c/TicAq9G1/1238-update-clamav-engine-to-latest-version --- charts/app-config/values-integration.yaml | 2 +- charts/asset-manager/templates/_freshclam_podspec.yaml | 2 +- charts/asset-manager/templates/clamav-configmap.yaml | 2 ++ charts/asset-manager/templates/worker-deployment.yaml | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/app-config/values-integration.yaml b/charts/app-config/values-integration.yaml index 2934450c35e..6690ed6544d 100644 --- a/charts/app-config/values-integration.yaml +++ b/charts/app-config/values-integration.yaml @@ -156,7 +156,7 @@ govukApplications: name: asset-manager-nginx-conf extraEnv: - name: ASSET_MANAGER_CLAMSCAN_PATH - value: /usr/bin/clamdscan + value: /usr/local/bin/clamdscan - name: GDS_SSO_OAUTH_ID valueFrom: secretKeyRef: diff --git a/charts/asset-manager/templates/_freshclam_podspec.yaml b/charts/asset-manager/templates/_freshclam_podspec.yaml index 153bd56ecd3..2430ae8d867 100644 --- a/charts/asset-manager/templates/_freshclam_podspec.yaml +++ b/charts/asset-manager/templates/_freshclam_podspec.yaml @@ -28,7 +28,7 @@ spec: - name: clam-virus-db mountPath: /var/lib/clamav - name: etc-clamav - mountPath: /etc/clamav + mountPath: /usr/local/etc securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/charts/asset-manager/templates/clamav-configmap.yaml b/charts/asset-manager/templates/clamav-configmap.yaml index 03d7db2e77b..bd0731b5c4a 100644 --- a/charts/asset-manager/templates/clamav-configmap.yaml +++ b/charts/asset-manager/templates/clamav-configmap.yaml @@ -37,5 +37,7 @@ data: Foreground yes LogTime yes LogVerbose yes + DatabaseDirectory /var/lib/clamav + DatabaseOwner app # Avoid peaky RAM usage. clamd will complain anyway if something's wrong with the database. TestDatabases no diff --git a/charts/asset-manager/templates/worker-deployment.yaml b/charts/asset-manager/templates/worker-deployment.yaml index 37cfa520a24..62b6f65a438 100644 --- a/charts/asset-manager/templates/worker-deployment.yaml +++ b/charts/asset-manager/templates/worker-deployment.yaml @@ -69,7 +69,7 @@ spec: - name: asset-manager-efs mountPath: &uploads-path /mnt/asset-manager - name: etc-clamav - mountPath: /etc/clamav + mountPath: /usr/local/etc {{- with .Values.appExtraVolumeMounts }} {{ . | toYaml | trim | nindent 12 }} {{- end }} @@ -123,7 +123,7 @@ spec: - name: clamd-tmp mountPath: /tmp - name: etc-clamav - mountPath: /etc/clamav + mountPath: /usr/local/etc securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true From 750939d61a43191bdea09666b30cbb121620fafe Mon Sep 17 00:00:00 2001 From: nadeem Date: Wed, 29 Nov 2023 15:15:30 +0000 Subject: [PATCH 2/2] Adding variable which allows changing path of the clamav configurations files. --- charts/app-config/values-integration.yaml | 1 + charts/asset-manager/templates/_freshclam_podspec.yaml | 2 +- charts/asset-manager/templates/worker-deployment.yaml | 4 ++-- charts/asset-manager/values.yaml | 3 +++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/app-config/values-integration.yaml b/charts/app-config/values-integration.yaml index 6690ed6544d..2768e0b7634 100644 --- a/charts/app-config/values-integration.yaml +++ b/charts/app-config/values-integration.yaml @@ -151,6 +151,7 @@ govukApplications: - path: /media/ - path: /auth/gds # Viewing draft assets requires user auth. assetManagerNFS: &assets-nfs assets.blue.integration.govuk-internal.digital + clamMountConfigPath: /usr/local/etc nginxConfigMap: create: false name: asset-manager-nginx-conf diff --git a/charts/asset-manager/templates/_freshclam_podspec.yaml b/charts/asset-manager/templates/_freshclam_podspec.yaml index 2430ae8d867..4bd9c5bb29a 100644 --- a/charts/asset-manager/templates/_freshclam_podspec.yaml +++ b/charts/asset-manager/templates/_freshclam_podspec.yaml @@ -28,7 +28,7 @@ spec: - name: clam-virus-db mountPath: /var/lib/clamav - name: etc-clamav - mountPath: /usr/local/etc + mountPath: {{ .Values.clamMountConfigPath }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/charts/asset-manager/templates/worker-deployment.yaml b/charts/asset-manager/templates/worker-deployment.yaml index 62b6f65a438..2a94dfb652e 100644 --- a/charts/asset-manager/templates/worker-deployment.yaml +++ b/charts/asset-manager/templates/worker-deployment.yaml @@ -69,7 +69,7 @@ spec: - name: asset-manager-efs mountPath: &uploads-path /mnt/asset-manager - name: etc-clamav - mountPath: /usr/local/etc + mountPath: {{ .Values.clamMountConfigPath }} {{- with .Values.appExtraVolumeMounts }} {{ . | toYaml | trim | nindent 12 }} {{- end }} @@ -123,7 +123,7 @@ spec: - name: clamd-tmp mountPath: /tmp - name: etc-clamav - mountPath: /usr/local/etc + mountPath: {{ .Values.clamMountConfigPath }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/charts/asset-manager/values.yaml b/charts/asset-manager/values.yaml index bc993c83796..b142031980d 100644 --- a/charts/asset-manager/values.yaml +++ b/charts/asset-manager/values.yaml @@ -79,6 +79,9 @@ clamdResources: cpu: 500m memory: 2000Mi +# clamMountConfigPath is the path to which the clamav.conf and freshclam.conf are mounted +clamMountConfigPath: "/etc/clamav" + # assetManagerNFS is the address of the NFSv4 (or Amazon EFS) server where uploaded assetManagerNFS: "asset-manager-efs.dev.gov.uk"