{"id":20780509,"url":"https://github.com/elemental-lf/chowder","last_synced_at":"2026-05-02T11:38:45.706Z","repository":{"id":97906183,"uuid":"170180746","full_name":"elemental-lf/chowder","owner":"elemental-lf","description":"All-in-one Docker image of ClamAV with Celery worker, REST API and clamd","archived":false,"fork":false,"pushed_at":"2019-03-18T15:58:08.000Z","size":92,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-01-18T08:46:03.562Z","etag":null,"topics":["anti-virus","celery","clamav","docker","kubernetes","rest-api"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elemental-lf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-11T18:35:58.000Z","updated_at":"2024-08-20T14:39:24.000Z","dependencies_parsed_at":null,"dependency_job_id":"5e388965-2d29-4b4e-8470-19edf39439e1","html_url":"https://github.com/elemental-lf/chowder","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elemental-lf%2Fchowder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elemental-lf%2Fchowder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elemental-lf%2Fchowder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elemental-lf%2Fchowder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elemental-lf","download_url":"https://codeload.github.com/elemental-lf/chowder/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243124937,"owners_count":20240260,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-virus","celery","clamav","docker","kubernetes","rest-api"],"created_at":"2024-11-17T13:37:31.073Z","updated_at":"2025-12-25T11:18:05.326Z","avatar_url":"https://github.com/elemental-lf.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Travis CI status](https://img.shields.io/travis/elemental-lf/chowder/master.svg?style=plastic\u0026label=Travis%20CI)](https://travis-ci.org/elemental-lf/chowder)\n\n# All-in-one Docker image of ClamAV with Celery worker, REST API and clamd\n\nThis repository contains a Docker image which includes the ClamAV engine and multiple different ways to access the\nengine. It is intended to be deployed with Kubernetes but can also be used with Docker.\n\n## Modes of operation\n\nWhen instantiating the image as a container the mode the container should be running in needs to be specified. There\nare four possible modes:\n\n* `freshcleam`: In this mode the container runs the freshclam daemon. It updates the anti-virus databases\n    in the `/var/lib/clamav` directory.\n    \n* `celery-worker`: Celery is a distributed task queue framework for Python. In this mode a Celery worker is\n    started which publishes one task with the following signature:\n    \n    `scan(fs: str, file: str, timeout: int = 3600, clamscan_options: Dict[str, str] = None, unlink: bool = False)`\n    \n    The parameters for `scan` are:\n    \n    * `fs`: Name of a PyFilesystem URL\n    * `file`: Name of a file to be scanned\n    * `timeout`: Timeout for the `clamscan` call\n    * `clamscan_options`: This is a dictionary of options that are passed directly `clamscan`. The key of the\n    dictionary items is the option name (without the leading dash or dashes). The value is the argument\n    of the respective option. If an option has no argument the value should be set to `None`.\n    * `unlink`: If this boolean value is set to `True` the file is unlinked after being scanned.\n    \n    The task returns a tuple consisting of a boolean value indicating if a virus was found (`True`) or or\n    (`False`) and a multi-line string containing the output of `clamscan`.\n    \n    Resources are accessed via [PyFilesystem](https://www.pyfilesystem.org/), support for accessing S3 object \n    stores via [`fs-s3`](https://fs-s3fs.readthedocs.io/) is included.\n    \n    All resources are scanned with `clamscan` to circumvent the 4GB limit of `clamd` and of the REST API\n    which also connects to `clamd`. This has the disadvantage that the whole anti-virus pattern database needs to\n    be loaded by each invocation of `clamscan` which takes about 20 seconds (on my hardware). Furthermore to scan\n    S3 objects they need to be downloaded into the local filesystem in full to be scanned.\n    \n    To configure the Celery workers to connect to Celery backends the Celery configuration needs to be mounted as \n    `/celery-worker/config/celeryconfig.py` inside the container. It contains configuration variable assignments\n    as per the Celery [documentation](http://docs.celeryproject.org/en/latest/userguide/configuration.html). To\n    get the results of the scans a results backend is needed.\n    \n    The task needs to be called by name. It is possible to use `send_task` for this or to define a `signature`.\n    \n* `clamd`: This mode starts the `clamd` daemon inside the container. It listens on TCP port 3310 and on the\n    Unix domain socket `/var/run/clamav/clamd.sock`. The TCP port can be exposed to the outside world \n    if wanted. The Unix daemon socket is currently not used. This mode is untested apart from observing\n    a successful startup of `clamd`.    \n    \n* `rest`: In this mode [Solita's ClamAV REST proxy](https://github.com/solita/clamav-rest) is started. It connects\n    to `clamd` via TCP on `localhost`, port 3310 so a companion `clamd` container in the same network namespace\n    is needed. This mode is untested apart from observing a successful startup of the proxy.\n        \nThe mode needs to be supplied as single argument to the container's entry-point. This is done via the \nKubernetes `args` option in container specifications. When using `docker-compose` or Docker Swarm\nthis would be `command`.  \n\n## Usage with Kubernetes\n\nTo deploy Chowder with Kubernetes it is best to use the provided Helm chart. It can be found in `charts/chowder`.\nIf you're not using Helm the manifest templates in `charts/chowder/templates` will still be a good starting point\nfor building your own manifests.\n\nThe Helm chart comes with a few configuration options:\n\nFirst of a all it is possible to activate or deactivate each of the at most four containers that comprise each \npod of the  deployment. The `freshclam` container should normally always be present. If it does not exist the \nanti-virus pattern databases which have been baked into the image at the time of its build are used and not updated. \nThe other options reflect the modes of operation listed above.\n\nThe configuration for the Celery worker needs to be supplied under the key `containers.celeryWorker.config`. It is\ninjected into the container via a `ConfigMap`.\n\n```yaml\ncontainers:\n  clamd:\n    enabled: false\n  freshclam:\n    enabled: true\n  celeryWorker:\n    enabled: true\n    config: |\n      [... Celery Worker configuration ...]\n  rest:\n    enabled: false\n```    \nTo use the REST API or talk to `clamd` directly the corresponding services can be  activated. The port number the \nrespective service listens on can also be configured.\n\n```yaml\nservices:\n  rest:\n    enabled: false\n    type: ClusterIP\n    port: 8080\n  clamd:\n    enabled: false\n    type: ClusterIP\n    port: 3310\n```\n\nBy default the deployment consists of five pods. `clamd` and the REST API have an internal scaling mechanism each, \nso one pod can handle a number of connections simultaneously. But the Celery workers is just started with one\nworker process per pod, so they need to be scaled by increasing the number of `replicas`. This can be done\nautomatically be enabling the horizontal autoscaler below.\n\n```yaml\nreplicaCount: 5 \n```\nWith the standard settings the Helm chart will use the `latest` image. For production deployment it is recommened \nto specify a release version instead of using `latest`. In that case the `pullPolicy` can be set to `IfNotPresent`.\n\n```yaml\nimage:\n  repository: elementalnet/chowder\n  tag: latest\n  pullPolicy: Always\n```\n\nFor scanning files directly a data volume can be mounted into the Celery worker container:\n\n```yaml\ncontainers:\n  celeryWorker:\n    dataVolume:\n      enabled: false\n      # Mount path inside the Celery worker container\n      mountPath: /data\n      reference:\n        persistentVolumeClaim:\n          claimName: your-pvc\n```\nIt is possible to specify resources for the containers. Currently all containers get the same resource allocation. This\nmight turn out to be suboptimal and separate resource specifications might be needed in the future. A horizontal\npod autoscaler can be enabled to adjust the number of `replicas` automatically.\n\n```yaml\nresources: {}\n  # limits:\n  #  cpu: 100m\n  #  memory: 128Mi\n  # requests:\n  #  cpu: 100m\n  #  memory: 128Mi\n\nhorizontalPodAutoscaler:\n  # Remember to set resources above if you enable this\n  enabled: false\n  minReplicas: 1\n  maxReplicas: 10\n  targetCPUUtilizationPercentage: 50\n```\n\nThe last three options relate to pod placement:\n\n```yaml\nnodeSelector: {}\n\ntolerations: []\n\naffinity: {}  \n```\n\n## Usage with Docker\n\nCurrently there are no examples on how to use this image with `docker` or `docker-compose` or on how to deploy \nit inside Docker Swarm. Contributions are welcome.\n\n## Available images\n\nA pre-built Docker image is present on Docker Hub under https://hub.docker.com/r/elementalnet/chowder. The current\nmaster branch is available under the tags `latest` and `master`. Releases are available with their respective\nversion as the tag. All images are built automatically via Travis CI.\n\n## Credits\n\nThis work is in part based on https://github.com/UKHomeOffice/docker-clamav. Thank you!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felemental-lf%2Fchowder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felemental-lf%2Fchowder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felemental-lf%2Fchowder/lists"}