Pivotal Knowledge Base

Follow

How to exclude the NFS (Blobstore) job in the ClamAV manifest file

Environment

  • Pivotal Cloud Foundry (PCF) Elastic Runtime 1.10.x, 1.11.x
  • ClamAV 1.2.x and above

Purpose

In some cases, a customer may want to exclude the NFS server from participating in the ClamAV service. This is under discussion with the product team and can be used as a reference

Procedure

Follow these steps to exclude the nfs_server job from having a collocated clamd and freshclam process on the nfs_server (blobstore)

1. With Bosh v1 cli, find the job name for capi release:

bosh releases --jobs | egrep 'Name|capi'

Acting as user 'director' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
| Name                          | Versions  | Commit Hash | Jobs                                                                                                                                                                                               |
| capi                          | 1.28.19*  | 884d589e    | blobstore, cc_uploader, cloud_controller_clock, cloud_controller_ng, cloud_controller_worker, debian_nfs_server, nfs_mounter, nsync, stager, tps  

2. If you are using Bosh v2.0 cli, here is an example to obtain the job name (as bosh cli v2 does not have the "--jobs" option for releases)

bosh2 -e https://opsman_url:25555 --ca-cert /var/tempest/workspaces/default/root_ca_certificate inspect-release capi/1.28.19 --json | jq .Tables[].Rows | grep job

    "job": "blobstore/5582f6d61081ce05e87fc8d82da616159c658abd",
    "job": "cc_uploader/a310c36b3e69b4eefc8dccb88658a8fa1ef1c056",
    "job": "cloud_controller_clock/6fe054f4a62a5ad41224ac49b95d4c419c6d6dfe",
    "job": "cloud_controller_ng/747e4689c71c439de0c373caba5d8d8e58232744",
    "job": "cloud_controller_worker/640d7920075032ca920b832b2f607dde32b2ec3b",
    "job": "debian_nfs_server/8c6159eca06f8b8dfbea48f9885340ba2fca6baf",
    "job": "nfs_mounter/4630a72f08ebe6713e58a4abda6d5f2085b344a0",
    "job": "nsync/c4797cf095591a331edb6758ecec36fae9e6e5ca",
    "job": "stager/0a4acf28fd0efc15c3d700546f2caabb8ab777b3",
    "job": "tps/2564bcef539310142d0878c8ab2286c84c7ddd87",

Example:

Here is the Bosh ClamAV manifest file you can use: (with focus on the excludes section)

ubuntu@pivotal-ops-manager:~$ bosh runtime-config
Acting as user 'director' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
  releases:
  - name: clamav
    version: 1.2.7
  addons:
  - name: clamav
    jobs:
    - name: clamav
      release: clamav
      properties:
        clamav:
          database_mirror: pivotal-clamav-mirror.s3.amazonaws.com
    on_access: false
    scheduled: true
    include:
      stemcell:
      - os: ubuntu-trusty
    exclude:
      jobs:
      - name: blobstore
release: capi
 

Additional Information

In some cases, a customer may want to exclude other jobs. E.g. Errand VMs, smoke-tests, etc

      - {name: push-apps-manager, release: push-apps-manager-release}
      - {name: deploy-notifications, release: notifications}
      - {name: deploy-notifications-ui, release: notifications-ui}
      - {name: push-pivotal-account, release: pivotal-account}
      - {name: deploy-autoscaling, release: cf-autoscaling}
      - {name: register-broker, release: cf-autoscaling}
      - {name: nfsbrokerpush, release: nfs-volume}
      - {name: bootstrap, release: cf-mysql}
      - {name: rejoin-unsafe, release: cf-mysql}
      - {name: broker-registrar, release: cf-mysql}
      - {name: deregister-and-purge-instances, release: cf-mysql}
      - {name: smoke-tests, release: cf-mysql}
      - {name: install-hwc-buildpack, release: hwc-buildpack}

NOTE: Please check with Pivotal Support before proceeding as you could leave the PCF vulnerable. 

Comments

  • Avatar
    Sameer Vohra

    Thanks for making this Manuel :)

Powered by Zendesk