Simplify and speed up the clamav build. #1416
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Use govuk-ruby-builder for clamav. Simplifies the Dockerfile by eliminating boilerplate and speeds up the build by not having to install a bunch of stuff that already ships with govuk-ruby-builder. - Don't run the clamav Python testsuite; it's super slow and we're building from an official source tarball with a very common config, so it's not worth blowing up asset-manager's build time. - Add a crude but fast and farly effective smoke test for the two clam binaries that asset-manager needs. - Use the system Rust instead of faffing about installing it ourselves, since we don't antipcate any need to run on PowerPC any time soon. - Remove a bunch of unneeded Apt packages. - Remove some unneeded workarounds, e.g. install the clam binaries in the desired directory (which happens to be the default one from the CMakelists.txt anyway) rather than symlinking them afterwards. - Remove some (cough) [GPLed code] (cough) that was mistakenly copy-pasted into the Dockerfile of our MIT-licensed codebase here. [GPLed code]: https://www.github.com/Cisco-Talos/clamav-docker/blob/bf4c0c2/clamav/1.3/debian/Dockerfile Tested: built locally with Docker Desktop, copied some lightly-modified default configs into /usr/local/etc/*clam*.conf, successfully ran freshclam and scanned some files with clamdscan connecting to clamd via TCP on 127.0.0.1 (which is how we do it in prod).
This eliminates some unnecessary config from govuk-helm-charts and makes asset-manager more robust against the clam binaries moving to a slightly different directory in PATH (which was the cause of a recent production outage). Remove a unhelpful change-detector test for the default value.
It passes now, but it's still ugly.
theseanything
approved these changes
Jun 24, 2024
dj-maisy
approved these changes
Jun 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tested: built and ran locally with Docker Desktop, copied configs into
/usr/local/etc/*clam*.conf, successfully ranfreshclamand scanned some files withclamdscanconnecting toclamdvia TCP on 127.0.0.1 (which is how we do it in prod).Rollout: needs manual e2e testing in integration or staging before pushing to prod. (Done — successfully created a document with at attachment and an image in integration via whitehall-admin).