Docker image published on OPSWAT Docker Hub

OPSWAT publish all official public docker images on Docker Hub:

opswat/metadefendericapsrv-<os-type>:<version>

The docker images are all bundled with the official release MetaDefender ICAP Server.

More information:

https://hub.docker.com/r/opswat/metadefendericapsrv-centos

https://hub.docker.com/r/opswat/metadefendericapsrv-debian

Pull from the OPSWAT Docker Hub repository

pull image
Copy
  • <repository> - OPSWAT repository address
  • <platform> - can be centos, debian
  • <version> - desired Core version (optional, default is latest)

Example:

Run MetaDefender ICAP Server docker image

docker run cmd
Copy

[Parameter] Container Name

Argument: --name <container_name>

Description: Your container’s name

Example: --name mdicapsrv01

[Parameter] Init Details (Environmental Variables & Ignition File)

Argument: -v <ignition_folder>:<container_ignition_folder> -e "<env_var>=<value>"

Description:

You must configure MetaDefender ICAP Server(default local admin account, database connection etc.) before running MetaDefender Core docker image. It could be done via either one of following options ( do not use both options, otherwise the environmental variables will be ignored ):

  1. Using environmental variables (-e)
  2. Using ignition file (-v)

Option 1:-e "<env_var>=<value>" - set an environmental variable to configure, each environmental variable need one -e argument

Available environmental variables:

namedescriptionnote
MD_USERusername to create the first admin user
MD_PWDpassword to create the first admin user
MD_EMAILemail to create the first admin user
APIKEYthe API key will be assigned to the admin user for license auto deactivation and activation
LICENSE_KEYan license key for license auto activation
REST_ADDRESSREST binding address for MetaDefender ICAP Server's Nginx to be allowed
REST_PORTREST binding port for MetaDefender ICAP Server's Nginx to be allowed
ICAP_ADDRESSICAP binding address for MetaDefender ICAP Server's Nginx to be allowed
ICAP_PORTICAP binding port for MetaDefender ICAP Server's Nginx to be allowed
ICAPS_PORTICAPS binding port for MetaDefender ICAP Server's Nginx to be allowed
IGNITION_JSONthe ignition file settings, only JSON format is acceptedFor example: IGNITION_JSON='{"user/name": "admin", "user/password": "admin", "user/email": "admin@local"}'
ICAP_CONF_JSONMetaDefender ICAP Server configuration file settings, only JSON format is acceptedFor example: ICAP_CONF_ JSON='{"global/restport": "8009", "logger/loglevel": "info"}'
ICAP_DATA_ PATHa full path to folder (in the container) storing all writable data (engine data, logs, runtime data, etc.).
  • Default is /opt/mdicapsrv/icap_data
  • Make sure to mount a volume to this folder to run with the policy
DATA_DIRa full path of MetaDefender ICAP Server working data directory

Where ICAP store:

  • LDAP Cert
  • Custom Block Page File Path
IMPORT_CONF_FILEA full path to the file containing the configurationYou need to mount the configuration file to container to use it
  • List of import target for IMPORT_CONF_FILE.
    • all : Import all target
    • schema : Configuration for Security rules
    • servers : Configuration for Server profiles
    • global : Configuration for Global setting
    • history : Configuration for ICAP history
    • auditlog : Configuration for Config history
    • session : Configuration for Security -> Session
    • password-policy : Configuration for Password policy
    • certs : Configuration for Certificates. Notes: Make sure the path in the config file is valid in the container
    • ssl : Configuration for Security. It is used to enable/disable HTTPS/ICAPS
    • user-management : Configuration for User management

The all, certs, ssl, user-management target will override HTTPS_CERT_PATH, ICAPS_CERT_PATH, MD_USER, MD_PWD, MD_EMAIL only use it if you know what are you doing. e.g:

IMPORT_CONF_FILE_TARGET='["servers", "schema"]'

ICAP_TRUST_CERTS_PATHA full path to the folder containing the certificate files used to verify MD-Core HTTPS server.You need to mount the folder containing all certificate files you need to container to use it
A full path to the folder containing the certificate and private key files used to enable HTTPS.
  • These files must have the same filename meanwhile their extensions must be .crt and .key
  • After being added, the filename without extension will be the name of the certificate in MetaDefender ICAP Server
ICAPS_CERT_PATHA full path to the folder containing the certificate and private key files used to enable ICAPS.
  • These files must have the same filename meanwhile their extensions must be .crt and .key
  • After being added, the filename without extension will be the name of the certificate in MetaDefender ICAP Server
TEST_MD_ CORE_CONNECTION

Support options test MetaDefender Core connection when startup container

  • Retry 3 times after the first test failed, 10s delay each time
  • Exit container when all tests failed
  • true to enable
  • false to disable
  • default is false

The priority for overriding configs is: single environmental variable < JSON environmental variable (IGNITION_JSON, ICAP_CONF_JSON)

For example, the following command will start a container with restport=8009

docker run -it --name mdicapsrv -p 8048:8009 \

-e REST_PORT=8010 \

-e IGNITION_JSON='{"user/name": "admin", "user/password": "admin", "user/email": "admin@local"}' \

-e ICAP_CONF_JSON='{"global/restport": "8009", "logger/loglevel": "info"}' \

-e ICAP_DATA_PATH=/home/icap_data_dir \

opswat/metadefendericapsrv-centos:4.13.0

Option 2:-v <ignition_folder>:<container_ignition_folder> - (optional) mounting the folder containing the ignition file to the container’s folder

  • <ignition_folder> - ignition folder path containing the ignition file <ignition_folder>/ometascan.conf

  • <container_ignition_folder> container’s folder to be mounted to /opt/ometascan/core_data/opswat (by default)

Example:

Setup the first admin

  • user = admin
  • password = admin
  • email = admin@local
  • apikey = e276cc32f85b6bf312e7a47d6fc5d530f42e

Option 1 - using environmental variables

run
Copy

Option 2 - using the ignition file

run
Copy

Volumes

NameDetailDefault
OS_CERTS_STORE_PATH

Where OS use for store the certificates

Needed when read-only file system or non-root privileges

CentOS

/etc/pki/ca-trust

Debian

/etc/ssl/certs

OS_CERTS_INSTALL_PATH

Where OS read the certificates to install

Needed when read-only file system or non-root privileges

CentOS

/etc/pki/ca-trust/source/anchors/

Debian

/usr/local/share/ca-certificates/

SYSTEM_DIRTemp system path for ICAP Server running/opt/mdicapsrv/system
ICAP_DATA_PATHA full path to the folder (in the container) storing all writable data (engine data, logs, runtime data, etc.)./opt/mdicapsrv/icap_data
PW_PATHStore users and groups to which users belong under Linux and UNIX operating system (/etc/group, /etc/passwd)/mdicapsrv/pw
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Using build tool kit with your own docker image
On This Page
Docker image published on OPSWAT Docker HubPull from the OPSWAT Docker Hub repositoryRun MetaDefender ICAP Server docker image[Parameter] Container Name[Parameter] Init Details (Environmental Variables & Ignition File)Volumes