Thanks for the quick response! My apologies, I wasn't trying to get too hung up on the details of the deployment. I was just trying to give some sort of background as to why I'm asking this question. In short, the main question I was hoping to get clarification on was:
If clamdscan is on Host A and clamd is on Host B, can you configure clamdscan to tell clamd to scan a file on Host B? However, since you're interested and you brought up some good points, let me try and address them. > It isn't obvious to me that a "networked" volume is better than streaming the > file to the clamd VM/server/pod/host. The deployment will be in AWS, and the mounted volume would be from EFS. My understanding of EFS is that while it can still be considered a "network mounted volume", it's about as close as you can get to having a volume on the physical machine while still being "network mounted" (i.e. the I/O performance on an EFS mount is comparable to a volume on the physical machine). > It isn't obvious to me that clamd would have privilege to access the file as > it > may not be running as root and even root@clamdserver may not have > privileged access to the volume. The users running the clamd pod and the file server (client) pod would have the same UID:GID combination. When it comes to Docker and Kubernetes mounts, I believe that's all that is necessary to ensure that clamd would have proper permissions on the files that the file server pod would create in the shared volume. However, we're still in the early, experimental stages, so we would need to confirm that. > How do you ensure that the two pods have synchronized views of the file > (especially as it is new) ? Kubernetes should be able to handle this pretty well. Worst case, we could implement some retry logic if we get an error from clamd when we don't expect to. Thanks again! P.S. Please let me know if the format of this response email doesn't follow mailing list etiquette. This is my first time posting to such a list. Regards, Nathan Choate > -----Original Message----- > From: Andrew C Aitchison <and...@aitchison.me.uk> > Sent: Friday, September 10, 2021 9:54 AM > To: Choate, Nathan via clamav-users <clamav-users@lists.clamav.net> > Cc: Choate, Nathan (DI SW LCS CF SEPL BS SM) > <nathan.cho...@siemens.com> > Subject: Re: [clamav-users] Possible to use clamdscan to scan a file on the > clamd host? > > On Fri, 10 Sep 2021, Choate, Nathan via clamav-users wrote: > > > Hello, > > > > I've recently been experimenting with using the recently built ClamAV > Docker image in a Kubernetes deployment. > > We want to utilize the ClamAV container in our deployment alongside a > basic server application running in a separate pod. > > We think the ideal pattern would be to have the ClamAV container running > clamd in its own pod with its client running in a separate pod. > > I agree that having your application and clamd running in different pods is a > good idea. > > Beyond that, this is an interesting questionthat I cannot really answer and > only have more questions. > > > The idea would be to > > > > 1. Mount a volume for scanning into both the ClamAV container and > > the client container 2. Package clamdscan in the Docker image for > > the client pod 3. Whenever a file is uploaded to the client pod: > > * Move that file to the mounted volume (which is mounted in both the > ClamAV container and the client container) > > * Use clamdscan from the client container to remotely tell clamd in > > the > ClamAV container to scan the new file in the shared volume > > > > At the moment, it seems that whenever I try to use clamdscan to tell clamd > to scan the volume contents from its container, clamdscan simply defaults to > streaming the file contents from the client container to the ClamAV > container. > > I would assume that if no mode is specified, clamdscan will default to > streaming the file contents to the TCP port if it's on a remote "host" (in > this > case, a separate pod). > > > > Preferably, we would like to use clamdscan to tell clamd to scan the > mounted volume contents from its container, not through a stream from the > client. Is that possible? > > It isn't obvious to me that a "networked" volume is better than streaming the > file to the clamd VM/server/pod/host. > > It isn't obvious to me that clamd would have privilege to access the file as > it > may not be running as root and even root@clamdserver may not have > privileged access to the volume. > > How do you ensure that the two pods have synchronized views of the file > (especially as it is new) ? > > clamd has some caching (I do not know the details) and IIUC can optimize > scanning the same file from clients on multiple hosts. > > I don't really understand the point of moving (or even copying) the file to a > common volume. Since it is a new file (at least as seen by the shared volume) > the bits will have to be sent from the client to the file server and then to > the > clamd server; streaming the file only requires one transfer and two logical > machines. > > > -- > Andrew C. Aitchison Kendal, UK > and...@aitchison.me.uk _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml