Container-Based Setup

Prerequisite

Before running the setup, please check [Central Hub] Recommended System Configuration to install all required dependencies.

Setup order requirement

Please follow installation steps in order to complete the system setup properly:

Order no.

Service

Notes

1

Redis, RabbitMQ, PostgreSQL and File Server (NAS)

  • Could be setup in parallel in any order among them.

  • Make sure they are all fully functional and accessible before proceeding to the next setup order #2.

2

First MetaDefender Core instance in the shared DB mode.

  • A valid license must be provisioned and activated.

  • In case of MetaDefender Core upgrade scenario, make sure all other MetaDefender Core instances' service are stopped while upgrading this first MetaDefender Core instance.

  • Make sure they are all fully functional and accessible.

  • Heath check constraints to be reviewed and confirmed. In the Central Hub model, MetaDefender Core will not consume any processing tasks from the central queue while staying unheathy via the heath check.

3

The Hub instance, and any other MetaDefender Core instances in the shared DB mode.

  • Could be setup in parallel in any order among them.

  • Make sure it is fully functional and accessible.

1. Redis caching server

  1. Pull the target docker image from Redis repository on DockerHub e.g. https://hub.docker.com/layers/library/redis/7.0.5/images/sha256-2bd864580926b790a22c8b96fd74496fe87b3c59c0774fe144bab2788e78e676?context=explore

docker pull redis:<version>
  1. Run the image:

docker run -d --name <container name> \ -p <redis port>:6379 \ <redis image name>
  1. Check container log to ensure everything works properly:

docker logs -f <container name> # Write a log file from container log docker logs <container name> > <filename>.log

Example:

  1. Pull Redis version 7.0.5 from DockerHub.

  2. Run the image with name set to 'redis', port tied to '6379' and image name set to 'redis:7.0.5'

  3. Check container log.

docker pull redis:7.0.5 docker run -d --name redis -p 6379:6379 redis:7.0.5 docker logs -f redis

2. RabbitMQ broker server

  1. Pull the target docker image from RabbitMQ repository on DockerHub e.g. https://hub.docker.com/layers/library/rabbitmq/3.10.7/images/sha256-90801171d4fdffc9b8877bb3ea5edb974cc123a2f27a678d5fd81488fb5025a2?context=explore

docker pull rabbitmq:<version>
  1. Run the inage:

docker run -d --name <container name> \ [-e RABBITMQ_DEFAULT_USER=<rabbitmq user>] \ [-e RABBITMQ_DEFAULT_PASS=<rabbitmq password>] \ -p <rabbitmq port>:5672 \ <rabbitmq image name>
  1. Check container log to ensure everything works properly:

docker logs -f <container name> # Write a log file from container log docker logs <container name> > <filename>.log

Example:

  1. Pull RabbitMQ version 3.10.7 from DockerHub.

  2. Run the image with name set to 'rabbitmq', username and password set to 'admin', port tied to '6379' and image name set to 'rabbitmq:3.10.7'

  3. Check container log in real time.

docker pull rabbitmq:3.10.7 docker run -d --name rabbitmq \ -e RABBITMQ_DEFAULT_USER=admin \ -e RABBITMQ_DEFAULT_PASS=admin \ -p 5672:5672 \ rabbitmq:3.10.7 docker logs -f rabbitmq

3. PostgreSQL database server

  1. Pull the target docker image from PostgreSQL repository on DockerHub e.g. https://hub.docker.com/layers/library/postgres/12.10/images/sha256-788f33abeef419b4252f73bf55ddf6fc6f77db759f81c7557fb8e1a72fad353b?context=explore

docker pull postgres:<version>
  1. Run the image:

docker run -d --name <container name> \ [-e POSTGRES_PASSWORD=<postgres password>] \ -p <postgres port>:5432 \ <postgres image name>
  1. Check container log to ensure everything works properly:

docker logs -f <container name> # Write a log file from container log docker logs <container name> > <filename>.log

Example:

  1. Pull PostgreSQL version 12.10 from DockerHub.

  2. Run the image with name set to 'postgres', password set to 'admin', port tied to '5432' and image name set to 'postgres:12.10'

  3. Check container log in real time.

docker pull postgres:12.10 docker run -d --name postgres \ -e POSTGRES_PASSWORD=admin \ -p 5432:5432 \ postgres:12.10 docker logs -f postgres

4. File storage server (NAS)

  1. Create a designated folder for <NAS config folder> e.g. ~/mdcore/nas_config

  2. Generate private key, certificate in X509 format and store to a designated location <NAS config folder>

  3. Complete configuration file ometascan_nas.conf MetaDefender Core NAS (File Storage Server) and store it in <NAS config folder>

  4. Pull the target docker image from OPSWAT repository on DockerHub

docker pull <repository>/mdnas-<platform>:<version>
  • <repository>: opswat

  • <platform>: centos ordebian``

  • <version>: File storage server version, default is latest

  1. Run the image and mount <NAS config folder> to/etc/opswat

docker run -d --name <container name> \ -v <nas config folder>:/etc/opswat \ -p <nas port>:8888 \ <image name>
  1. Check container log to ensure everything works properly

docker logs -f <container name> # Write a log file from container log docker logs <container name> > <filename>.log

Example 1:

  1. Docker pull NAS version 1.0 from DockerHub

  2. Create folder ~/mdcore/nas_config

  3. Generate private key, certificate and store to ~/mdcore/nas_config

  4. Fill configuration file ometascan_nas.conf and store to ~/mdcore/nas_config

  5. Run the image with /etc/opswat folder tied to ~/mdcore/nas_config , port tied to '8888' and image name set to 'mdnas-debian:1.0.0'

  6. Check container log

docker pull opswat/mdnas-debian:latest mkdir -p ~/mdcore/nas_config openssl req -new -newkey rsa:4096 -days 36500 \ -nodes -x509 \ -keyout ~/mdcore/nas_config/localhost-100y.key \ -out ~/mdcore/nas_config/localhost-100y.cert vim ~/mdcore/nas_config/ometascan_nas.conf docker run -d --name nas \ -v ~/mdcore/nas_config:/etc/opswat \ -p 8888:8888 \ mdnas-debian:1.0.0 docker logs -f nas

Example 2 (Run as non-root with random uid use --user and uid !=0):

docker pull opswat/mdnas-debian:latest mkdir -p ~/mdcore/nas_config openssl req -new -newkey rsa:4096 -days 36500 \ -nodes -x509 \ -keyout ~/mdcore/nas_config/localhost-100y.key \ -out ~/mdcore/nas_config/localhost-100y.cert vim ~/mdcore/nas_config/ometascan_nas.conf chmod 755 -R ~/mdcore/nas_config docker run -d --name nas_debian \ -v ~/mdcore/nas_config:/etc/opswat \ --user 1000:1000 \ -p 8888:8888 \ opswat/mdnas-debian:latest docker logs -f nas_debian

Example 3 (Run with enabled read-only mode):

docker pull opswat/mdnas-debian:latest mkdir -p ~/mdcore/nas_config openssl req -new -newkey rsa:4096 -days 36500 \ -nodes -x509 \ -keyout ~/mdcore/nas_config/localhost-100y.key \ -out ~/mdcore/nas_config/localhost-100y.cert vim ~/mdcore/nas_config/ometascan_nas.conf chmod 755 -R ~/mdcore/nas_config docker run -d --name nas_debian \ -v ~/mdcore/nas_config:/etc/opswat \ --read-only \ -p 8888:8888 \ opswat/mdnas-debian:latest docker logs -f nas_debian

5. MetaDefender Core server

  1. Create a designated folder for <Core ignition folder> e.g. ~/mdcore/ignition_file

  2. Complete ignition file ometascan.conf MetaDefender Core and store it in <Core ignition folder>

  3. Pull the target docker image from OPSWAT repository on DockerHub

docker pull <repository>/metadefendercore-<platform>:<version>
  • <repository>: opswat

  • <platform>: centos ordebian``

  • <version>: MetaDefender Core version, default is latest

  1. Run the image and mount <Core ignition folder> to/opt/ometascan/core_data/opswat

docker run -d --name <container name> \ -v <core config folder>:/opt/ometascan/core_data/opswat \ -p <core port>:8008 \ <image name>
  1. Check container log to ensure everything works properly

docker logs -f <container name> # Write a log file from container log docker logs <container name> > <filename>.log

Example 1:

  1. Docker pull MetaDefender Core version 5.3.0 from DockerHub

  2. Create folder ~/mdcore/ignition_file

  3. Fill configuration file ometascan.conf and store to ~/mdcore/ignition_file

  4. Run the image with /opt/ometascan/core_data/opswat folder tied to ~/mdcore/ignition_file , port tied to '8888' and image name set to 'mdcore-debian:5.3.0'

  5. Check container log

docker pull opswat/metadefendercore-debian:latest mkdir -p ~/mdcore/ignition_file vim ~/mdcore/ignition_file/ometascan.conf chmod 666 -R ~/mdcore/ignition_file docker run -d --name core_debian \ -v ~/mdcore/ignition_file:/opt/ometascan/core_data/opswat \ -p 8008:8008 opswat/metadefendercore-debian:latest docker logs -f core_debian

Example 2 (Run as non-root with random uid):

docker pull opswat/metadefendercore-debian:latest mkdir -p ~/mdcore/ignition_file vim ~/mdcore/ignition_file/ometascan.conf chmod 777 -R ~/mdcore/ignition_file docker run -d --name core_debian \ -v ~/mdcore/ignition_file:/opt/ometascan/core_data/opswat \ -p 8008:8008 --user 1000:1000 opswat/metadefendercore-debian:latest docker logs -f core_debian

Example 3 (Run with enabled read-only):

docker pull opswat/metadefendercore-debian:latest mkdir -p ~/mdcore/ignition_file vim ~/mdcore/ignition_file/ometascan.conf chmod 777 -R ~/mdcore/ignition_file docker run -d --name core_debian \ -v ~/mdcore/ignition_file:/opt/ometascan/core_data/opswat \ -p 8008:8008 --read-only opswat/metadefendercore-debian:latest docker logs -f core_debian

6. Hub server

  1. Create a designated folder for <Hub config folder> e.g. ~/mdcore/hub_config

  2. Complete configuration file ometascan_hub.conf MetaDefender Core Hub (Hub) and store it in <Hub config folder>

  3. Pull the target docker image from OPSWAT repository on DockerHub

docker pull <repository>/mdhub-<platform>:<version>
  • <repository>: opswat

  • <platform>: centos or debian

  • <version>: Hub version, default is latest

  1. Run the image and mount <Hub config folder> to/etc/opswat

docker run -d --name <container name> \ -v <hub config folder>:/etc/opswat \ -p <hub port>:8889 \ <image name>
  1. Check container log to ensure everything works properly

docker logs -f <container name> # Write a log file from container log docker logs <container name> > <filename>.log

Example 1:

  1. Docker pull Hub version 1.0 from DockerHub

  2. Create folder ~/mdcore/hub_config

  3. Fill configuration file ometascan_hub.conf and store to ~/mdcore/hub_config

  4. Run the image with /etc/opswat folder tied to ~/mdcore/hub_config , port tied to '8889' and image name set to 'mdhub-debian:1.0.0'

  5. Check container log

docker pull opswat/mdhub-debian:latest mkdir -p ~/mdcore/hub_config vim ~/mdcore/hub_config/ometascan_hub.conf docker run -d --name hub_debian \ -v ~/mdcore/hub_config:/etc/opswat \ -p 8889:8889 \ opswat/mdhub-debian:1.0.0 docker logs -f hub_debian

Example 2 (Run as non-root random uid with option --user <uid>:<gid>):

docker pull opswat/mdhub-debian:latest mkdir -p ~/mdcore/hub_config vim ~/mdcore/hub_config/ometascan_hub.conf docker run -d --name hub_debian \ -v ~/mdcore/hub_config:/etc/opswat \ --user 1000:1000 \ -p 8889:8889 \ opswat/mdhub-debian:1.0.0 docker logs -f hub_debian

Example 3 (Run with enabled read only file-system with option --ready-only):

docker pull opswat/mdhub-debian:latest mkdir -p ~/mdcore/hub_config vim ~/mdcore/hub_config/ometascan_hub.conf docker run -d --name hub_debian \ -v ~/mdcore/hub_config:/etc/opswat \ --read-only \ -p 8889:8889 \ opswat/mdhub-debian:1.0.0 docker logs -f hub_debian