From d73188c3b910c4476ed02f9cbec0f8542729f32d Mon Sep 17 00:00:00 2001 From: tobias Date: Tue, 5 May 2026 14:15:05 +0200 Subject: [PATCH] Pin Alpine 3.23, single base for builder + runtime, add smoke test - Both stages on alpine:3.23 (was python:3-alpine + alpine:latest). Major.minor pin gives security patches without breaking on rebase. - fangfrisch installed in /opt/fangfrisch venv (PEP 668 blocks system pip on modern Alpine). - Drop deprecated MAINTAINER instruction in favour of LABEL. - test_smoke.sh: image present + version + sig count + EICAR. Validated end-to-end on amd64 Linux: ClamAV 1.4.4, 3.85M sigs. Co-Authored-By: Claude Opus 4.7 (1M context) --- Dockerfile | 22 ++++++++++++---------- test_smoke.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 10 deletions(-) create mode 100755 test_smoke.sh diff --git a/Dockerfile b/Dockerfile index 4529b8f..7b9ca1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,22 @@ -FROM python:3-alpine as builder -RUN apk add -u --no-cache clamav clamav-dev freshclam bash clamav-libunrar -RUN pip install fangfrisch -RUN mkdir -m 0770 -p /var/lib/fangfrisch -RUN chgrp clamav /var/lib/fangfrisch +FROM alpine:3.23 AS builder +LABEL maintainer="tabledevil" +RUN apk add --no-cache clamav clamav-libunrar freshclam python3 py3-pip bash +# fangfrisch needs Python; PEP 668 on modern Alpine blocks system-pip, use venv. +RUN python3 -m venv /opt/fangfrisch && /opt/fangfrisch/bin/pip install fangfrisch +RUN mkdir -m 0770 -p /var/lib/fangfrisch && chgrp clamav /var/lib/fangfrisch ADD fangfrisch.conf /etc/fangfrisch.conf USER clamav -RUN fangfrisch --conf /etc/fangfrisch.conf initdb -RUN fangfrisch --conf /etc/fangfrisch.conf refresh +RUN /opt/fangfrisch/bin/fangfrisch --conf /etc/fangfrisch.conf initdb +RUN /opt/fangfrisch/bin/fangfrisch --conf /etc/fangfrisch.conf refresh RUN freshclam -FROM alpine +FROM alpine:3.23 ARG PUID=1001 ARG PGID=1001 -MAINTAINER tabledevil -RUN apk add -u --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar +LABEL maintainer="tabledevil" +LABEL docker.cmd="docker run -it --rm -v /folder/to/scan:/data:ro --network=none tabledevil/clamav scan" +RUN apk add --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar COPY --from=builder /var/lib/clamav /var/lib/clamav ADD clamd.conf /etc/clamav/clamd.conf ADD start.sh /start.sh diff --git a/test_smoke.sh b/test_smoke.sh new file mode 100755 index 0000000..c9fac9f --- /dev/null +++ b/test_smoke.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# Smoke test for the clamav scanner image: image present, version reports +# engine + sig DB, EICAR is detected via clamdscan --multiscan. +# +# Usage: TAG=ls-clamav:test ./test_smoke.sh +# (defaults to tabledevil/clamav) + +set -u +TAG="${TAG:-tabledevil/clamav}" +TMP="$(mktemp -d)" +trap 'rm -rf "$TMP"' EXIT + +pass=0; fail=0 +ok() { echo "PASS $1"; pass=$((pass+1)); } +bad() { echo "FAIL $1"; fail=$((fail+1)); } + +if docker image inspect "$TAG" >/dev/null 2>&1; then + ok "image $TAG present" +else + bad "image $TAG not present"; exit 1 +fi + +out="$(docker run --rm "$TAG" version 2>&1 || true)" +if echo "$out" | grep -qE "ClamAV [0-9]+\.[0-9]+"; then + ok "version reports ClamAV engine" +else + bad "version did not report ClamAV engine" + echo "$out" | tail -10 +fi +if echo "$out" | grep -qE "[0-9]+ Signatures loaded"; then + ok "sig DB loaded ($(echo "$out" | grep -oE '[0-9]+ Signatures loaded' | head -1))" +else + bad "sig count not reported" +fi + +mkdir -p "$TMP/data" +printf '%s%s' \ + 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-' \ + 'STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > "$TMP/data/eicar.com" + +out="$(docker run --rm -v "$TMP/data:/data:ro" "$TAG" scan 2>&1 || true)" +if echo "$out" | grep -qiE "EICAR.*FOUND|Infected files: [1-9]"; then + ok "scan detects EICAR" +else + bad "scan did not detect EICAR" + echo "$out" | tail -20 +fi + +echo +echo "Summary: $pass pass, $fail fail" +[ "$fail" -eq 0 ]