I hadn’t seen that.
Have to give it a try with my dummy app
This app was clamav - called “a-dummy-clamav” as due to UI issues I have deleted the top app only list sometimes by mistake.
services:
clamav:
cap_add:
- CHOWN
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cap_drop:
- ALL
deploy:
resources:
limits:
cpus: '2'
memory: 4096M
environment:
CLAMAV_NO_CLAMD: 'false'
CLAMAV_NO_FRESHCLAMD: 'false'
CLAMAV_NO_MILTERD: 'true'
CLAMD_STARTUP_TIMEOUT: '1800'
FRESHCLAMD_CHECKS: '1'
NVIDIA_VISIBLE_DEVICES: void
TZ: Etc/UTC
UMASK: '002'
UMASK_SET: '002'
group_add:
- 568
healthcheck:
interval: 10s
retries: 30
start_period: 10s
test: clamdcheck.sh
timeout: 5s
image: clamav/clamav:1.1.2-2
platform: linux/amd64
ports:
- mode: ingress
protocol: tcp
published: 30005
target: 3310
privileged: False
restart: unless-stopped
security_opt:
- no-new-privileges=true
stdin_open: False
tty: False
volumes:
- bind:
create_host_path: False
propagation: rprivate
read_only: False
source: /mnt/.ix-apps/app_mounts/a-dummy-app-clamav/scandir
target: /scandir
type: bind
- read_only: False
target: /tmp
type: volume
volume:
nocopy: False
- bind:
create_host_path: False
propagation: rprivate
read_only: False
source: /mnt/.ix-apps/app_mounts/a-dummy-app-clamav/sigdb
target: /var/lib/clamav
type: bind
volumes: {}
x-notes: >+
# ClamAV
## Warnings
- Due to a design flaw in ClamAV, the clamd can be exploited to send commands
like 'SHUTDOWN', 'RELOAD', 'VERSION' and others to the clamd process. </br>
See more details at https://github.com/Cisco-Talos/clamav/issues/1169"
## Bug Reports and Feature Requests
If you find a bug in this app or have an idea for a new feature, please file
an issue at
https://github.com/truenas/apps
x-portals: []
This is what the yaml looks like. I changed the image: clamav/clamav:1.1.2-2 to :latest and that still worked. Interestingly on docker.com there is no 1.1.2-2 tagged version of clamav. Not sure what the implications of that are.
BTW there is a feature request that hasn’t got much traction