Installing the ClamAV local RPM in Silverblue?

Hello, I’ve been using Silverblue and was testing some packages before switching to it in my main machine too.

One of the programs I like is clamav, especially since I share a lot of files between Windows users. I saw that it has also been packaged for Fedora a while back but the ClamAV developers seem to suggest their local rpm package instead so I wanted to install that.

However, I couldn’t install clamav. It outputs the following error in a completely new and upgraded silverblue system with no layered packages:

rpm-ostree install clamav-1.4.2.linux.x86_64.rpm


Checking out tree 6813e3c... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora updates-archive
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2024-03-11T19:22:31Z solvables: 3
rpm-md repo 'updates' (cached); generated: 2025-02-09T01:13:12Z solvables: 20316
rpm-md repo 'fedora' (cached); generated: 2024-10-24T13:55:59Z solvables: 76624
rpm-md repo 'updates-archive' (cached); generated: 2025-02-09T01:45:56Z solvables: 29899
Resolving dependencies... done
Checking out packages... done
error: Checkout clamav-1.4.2-1.x86_64: opendir(local): No such file or directory

I verified the package and can assure its authenticity. I have also tried reaching the same file with absolute and relative paths. Furthermore, I also tried the following commands, each printing the same error:

sudo rpm-ostree install clamav-1.4.2.linux.x86_64.rpm
sudo rpm-ostree install --cache-only clamav-1.4.2.linux.x86_64.rpm
sudo rpm-ostree install --cache-only --allow-inactive clamav-1.4.2.linux.x86_64.rpm

Why do I receive an error for a previous version? How can I fix this?

Hello @greenjohn and welcome to !

Can you post here the link to the ClamAV developers’ suggestion for installing their local RPM package?

Briefly skimming the ClamAV docs, I noticed Official ClamAV Docker Images, which is the recommended way to run software on all OSTree-based systems, such as Fedora Silverblue. You might consider using this approach instead of installing ClamAV as a layered package.

Hi @hricky! Thanks for taking the time to respond.

I didn’t mean to imply that they explicitly warn against the version already packaged for Fedora. My impression was that they preferred other options because the instructions for Fedora didn’t include it. The main page and subsequent download list included the local RPM and even in the documentation they suggest adding EPEL rather than just pointing users to the pre-packaged version. I may have misunderstood but that was how I interpreted the options they presented.

I’m not very familiar with containers and sadly couldn’t properly use the docker images. I must have done something wrong, but I couldn’t get it to scan a directory. Maybe it was due to a difference between docker (which ClamAV base their instructions on) and podman. Podman should work and I quite like it with other stuff that was very easy to set up, but I’m a bit lost here.

If it wouldn’t be too much of a bother, could you please share the commands with which I might use that one?

Note: Edited for grammar.

The link you provided reads:

Fedora: Fedora packages can be found at Overview - rpms/clamav - src.fedoraproject.org

At least as far as I understand, this should mean that for Fedora you have to install from the repos. It seems that currently for F41 the latest version is clamav-1.0.8-1.fc41, and for F42 it is clamav-1.4.2-1.fc42. Since F42 has not been released yet, this probably means that for the current version of Fedora Silverblue, the preferred option for running ClamAV should be in a container anyway.

I am not familiar with the ClamAV software, but I can try following the instructions from Docker - ClamAV Documentation. I would suggest you do the same if you haven’t already, and post the issues you’re having here so we can try to resolve them.

Yeah, apologies, you’re right. I just read the part above, guess I need more sleep .

I tried those instructions but couldn’t get it to work. I may have been missing something small. I’ll try again later but would also really appreciate it if you can share the steps, should you have some time for it.

I’m unlikely to try the ClamAV container for the next 12 hours or so, so it would probably be useful if you posted the exact errors the container is displaying.

There is also a COPR which seems to be official

https://copr.fedorainfracloud.org/coprs/g/clamav/clamav/

Also see my post here:

Thanks for linking that repo.

Though, I’m not sure that its official. There are multiple redhats in GitHub that aren’t redhat so this might be similar. Is there a way for the package to be verified as official like the one in flathub? I briefly checked the members and they don’t seem to claim being a contributor to clamav.

I don’t mean to question you, I just genuinely don’t know if and/or how I can check if its official.

Sorry, I didn’t have time yesterday. I’ll do so today or tomorrow. Thanks for the help so far.

Good point. Could absolutely be malware.

In my thread it was mentioned that clamd with clamdscan is in the repos and possibly better

As someone pointed out in the thread, clamd requires freshclam which is found under clamav so I think it would still be required.

@hricky @boredsquirrel So, here is how far I got with the docker image. Hopefully, something silly is the only problem but my limited understanding of containers prevents me from figuring out what that is.

These were the commands with which I retrieved the latest clamav image and created a volume to persist signature databases, in line with this section of the documentation:

podman pull docker.io/clamav/clamav:1.4.2_base
podman volume create clamav_signatures

After this part, it gets tricky because something is always missing when I try to continue to the second part detailed here on how to actually run the container.

First off, I can never reach the interactive tty with the podman run -it --rm starter.

Then, this very basic command that I wrote following their instruction works but limits me to clamscan and downloads signatures every time:

podman run -it --rm\
	-v clamav-signatures:/var/lib/clamav\
	-v Documents:/scan\
	--name "clam_container_01"\
	docker.io/clamav/clamav:1.4.2_base\
	clamscan /scan

Here, the problem is that I can’t get it to utilize freshclam because if I modify the last line like this /bin/bash -c "freshclam && clamscan /scan" which should thoeritically fix the issue, freshclam just starts clamd which hangs with the following output:

Starting Freshclamd
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Mon Feb 10 19:47:32 2025
daily.cvd database is up-to-date (version: 27545, sigs: 2072503, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
Socket for clamd not found yet, retrying (18/1800) ...Mon Feb 10 19:47:50 2025 -> Limits: Global time limit set to 120000 milliseconds.
Mon Feb 10 19:47:50 2025 -> Limits: Global size limit set to 419430400 bytes.
...
...
Mon Feb 10 19:47:50 2025 -> Self checking every 600 seconds.
Mon Feb 10 19:47:50 2025 -> Set stacksize to 1048576
socket found, clamd started.

I actually prefer clamd anyway but if I try to launch it, it also just hangs. Either way, I can’t reach an interactive session, can’t use clamd and needlessly download signatures every time. Basically, I can’t utilize the advantages that should come from using it as a container

I dont get why you would install a separate minimal distro just for clamav?

Try clamd RPM?

And yeah, we should do some research who @clamav is

Here’s how I tested it.

$ sudo file /tmp/test_dir/*

/tmp/test_dir/20250209.pdf:     PDF document, version 1.6, 2 page(s)
/tmp/test_dir/f42-01-night.jxl: JPEG XL container
/tmp/test_dir/grubx64.efi:      PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 5 sections

$ cat clamav.sh 

#! /usr/bin/env bash

podman container run \
    --pull=always \
    --rm \
    --privileged \
    --mount type=bind,source=${1},destination=/scandir \
    docker.io/clamav/clamav:stable \
    clamscan /scandir

$ sudo ./clamav.sh /tmp/test_dir

Trying to pull docker.io/clamav/clamav:stable...
Getting image source signatures
Copying blob 0ee1fbfa8da7 done   | 
Copying blob 1f3e46996e29 done   | 
Copying blob 2360db1e9ffb done   | 
Copying blob fc90846f3868 done   | 
Copying blob d7176c5de2c5 done   | 
Copying blob 5e67a26e688a done   | 
Copying blob 2fc7f9a5be54 done   | 
Copying config 759b4742e8 done   | 
Writing manifest to image destination
/scandir/grubx64.efi: OK
/scandir/20250209.pdf: OK
/scandir/f42-01-night.jxl: OK

----------- SCAN SUMMARY -----------
Known viruses: 8704164
Engine version: 1.4.2
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 7.63 MB
Data read: 5.63 MB (ratio 1.35:1)
Time: 15.055 sec (0 m 15 s)
Start Date: 2025:02:11 09:20:07
End Date:   2025:02:11 09:20:22

Because that’s how software application containers work.

When you open Atomic Desktops :: Fedora Docs, the first paragraph after the title states:

Fedora Silverblue is an atomic desktop operating system featuring the GNOME desktop. It aims to be extremely stable and reliable. It also aims to be an excellent platform for developers and for those using container-focused workflows.

The Fedora CoreOS docs also explicitly state that you should generally prefer using podman containers over layering software.

I’m curious why you suggest layering services/applications on an image-mode system instead of running them in containers.

Containers add a lot of files that may come from Fedora, may not. They add a ton of additional trust, require bandwidth and you need to hope that ClamAV keeps it updated.

You also need to regularly update them, which is not automated like rpm-ostree updates.

Rpm-ostree is a system to reliably manage RPM packages. Using containers and Flatpaks is even more important on mutable distros, as those dont have a reset capability.

So I dont agree with the docs here, obviously. Otherwise, why not make an immutable system?

Layering RPMs is way more stable than installing them with DNF, but it also adds more state and entropy to the system if config files e.g. are not managed by rpm-ostree.

Still, for most users, and small packages, it makes way more sense to just layer stuff, instead of downloading an entire container just to run a single piece of software.

What would be the benefit anyway? Would the container run as root to have the necessary privileges? Is it able to scan all system files unlike a package depending on them?

I mentioned clamd, not clamav, as mentioned in the linked thread.

Yes, I believe we can all agree that Silverblue is awesome . Thank you both for helping make it so with your assistance here in the forums.

I appreciate your comments and the contributions of the @clamav team in Fedora. I didn’t mean to cast any doubt on their efforts, they seem to somewhat actively maintain and test it. Furthermore, I don’t know if there are any significant differences in core functionality between the container and the packaged RPM.

However, in addition to the points @hricky made, I’d argue that it is generally better to rely on upstream and not derivatives when it comes to security-related tools. Hopefully, you can at least partially agree with that sentiment? Software like ClamAV can be critical for the reliability of our systems and as such, I personally would prefer using the version the developers themselves offer and update.

It seems relatively easy to update containers with podman, manually or with a startup script, even for an amateur like me.

@boredsquirrel I understand that you’re suggesting the easier path and if you check my first post, you can see that I would be happy to just run the rpm they gave in the website directly but for some reason it outputs an error for an earlier version and doesn’t install. I’ll add layered packages in the long run so it honestly isn’t a big concern. (Though I still hope to eventually learn the container workflow). That package also satisfies my principle of getting security-related software from the source.

Alas, I just couldn’t figure out the issue with it. If you can explain how I can install and use either one of the LTS rpms from the dedicated main downloads page, I would be immensely grateful. So far, both for me gave the same opendir(local): No such file or directory error for an earlier version of themselves.

Thank you very much for sharing your commands!

Why did you use sudo? It doesn’t seem to be required here.

I’m guessing --privilieged is a podman related necessity since the docker instructions don’t include it. I know that it is not unsafe in the way su is but I wish we didn’t need it. Well, I’m still happy that it works.

May I ask if you could also get clamdscan working? It is supposed to be faster by virtue of being multi-threaded but its configuration is much trickier. I sometimes get large folders with a lot of files I’m supposed to sort and transfer within a few hours so the speed bonus could really help me.

As I said, for some reason Fedor had a clamd package in the repos, but not clamav.

See if that works.

If you want your stuff from the source… use Gentoo.

In the end distro packages compose your entire OS. I see how the COPR is critical though and make a thread.