Docker image published on OPSWAT Docker Hub

OPSWAT publish all official public docker images on Docker Hub:

opswat/metadefendericapsrv-<os-type>:<version>

The docker images are all bundled with the official release MetaDefender ICAP Server.

More information:

https://hub.docker.com/r/opswat/metadefendericapsrv-centos

https://hub.docker.com/r/opswat/metadefendericapsrv-debian

Pull from the OPSWAT Docker Hub repository

pull image
Copy
  • <repository> - OPSWAT repository address
  • <platform> - can be centos, debian
  • <version> - desired Core version (optional, default is latest)

Example:

Run MetaDefender ICAP Server docker image

docker run cmd
Copy

[Parameter] Container Name

Argument: --name <container_name>

Description: Your container’s name

Example: --name mdicapsrv01

[Parameter] Init Details (Environmental Variables & Ignition File)

Argument: -v <ignition_folder>:<container_ignition_folder> -e "<env_var>=<value>"

Description:

You must configure MetaDefender ICAP Server(default local admin account, database connection etc.) before running MetaDefender Core docker image. It could be done via either one of following options ( do not use both options, otherwise the environmental variables will be ignored ):

  1. Using environmental variables (-e)
  2. Using ignition file (-v)

Option 1:-e "<env_var>=<value>" - set an environmental variable to configure, each environmental variable need one -e argument

Available environmental variables:

namedescriptionnote
ACCEPT_EULASet the ACCEPT_EULA variable to any value to confirm your acceptance of the End-User Licensing AgreementDefault value is false. Must set true this ENV to start container.
MD_USERUsername to create the first admin user
MD_PWDPassword to create the first admin user
MD_EMAILEmail to create the first admin user
APIKEYThe API key will be assigned to the admin user for license auto deactivation and activation
LICENSE_KEYAn license key for license auto activation
REST_ADDRESSREST binding address for MetaDefender ICAP Server's Nginx to be allowed
REST_PORTREST binding port for MetaDefender ICAP Server's Nginx to be allowed
ICAP_ADDRESSICAP binding address for MetaDefender ICAP Server's Nginx to be allowed
ICAP_PORTICAP binding port for MetaDefender ICAP Server's Nginx to be allowed
ICAPS_PORTICAPS binding port for MetaDefender ICAP Server's Nginx to be allowed
ICAP_CONF_JSONMetaDefender ICAP Server configuration file settings, only JSON format is acceptedFor example: ICAP_CONF_ JSON='{"global/restport": "8009", "logger/loglevel": "info"}'
ICAP_DATA_ PATHa full path to folder (in the container) storing all writable data (engine data, logs, runtime data, etc.).
  • Default is /opt/mdicapsrv/icap_data
  • Make sure to mount a volume to this folder to run with the policy
DATA_DIRa full path of MetaDefender ICAP Server working data directory

Where ICAP store:

  • LDAP Cert
  • Custom Block Page File Path
IMPORT_CONF_FILEA full path to the file containing the configurationYou need to mount the configuration file to container to use it
ICAP_TRUST_CERTS_PATHA full path to the folder containing the certificate files used to verify MD-Core HTTPS server.You need to mount the folder containing all certificate files you need to container to use it
HTTPS_CERT_PATHA full path to the folder containing the certificate and private key files used to enable HTTPS.

These files must have the same filename meanwhile their extensions must be .crt and .key

After being added, the filename without extension will be the name of the certificate in MetaDefender ICAP Server

ICAPS_CERT_PATHA full path to the folder containing the certificate and private key files used to enable ICAPS.

These files must have the same filename meanwhile their extensions must be .crt and .key

After being added, the filename without extension will be the name of the certificate in MetaDefender ICAP Server

NGINX_CERT_PATHA full path to the folder containing the certificate and private key files used to enable NGINX Secured Communication.Supported since MD ICAP Server v5.1.0
TEST_MD_CORE_CONNECTION

Support options test MD Core connection when startup container

  • Retry 3 times after the first test failed, 10s delay each time
  • Exit container when all tests failed
  • true to enable
  • false to disable
  • default is false
AUDIT_DATA_RETENTIONSet time of audit data retentionDefault is 168 hours (7 days)
HISTORY_DATA_RETENTIONSet time of history data retentionDefault is 168 hours (7 days)
IGNITION_JSONThe ignition file settings, only JSON format is accepted

For example: IGNITION_JSON='{"user/name": "admin", "user/password": "admin", "user/email": "admin@local"}'

  • or for enable NGINX integration (supported since MD ICAP Server v5.1.0)

JSON='{"user/name": "admin", "user/password": "admin", "user/email": "admin@local", "nginxsupport/enabled": "true", "nginxsupport/port": "8043", "nginxsupport/ports": "8443"}'

  • Or setup PostgreSQL database - (supported since MD ICAP Server v5.2.0)

IGNITION_JSON={"dbserver/private_username": "internal_user", "dbserver/private_password": "internal_user_password"}

IMPORT_CONFIG_FILE_PASSPassword for unzip file import config file. If you use the JSON file, you can let it emptysupported since MD ICAP Server v5.1.0
NGINX_PORTNGINX Communication port8043
NGINXS_PORTNGINX Communication SSL/TLS8443
IMPORT_CONF_FILE_TARGET
  • List of import target for IMPORT_CONF_FILE.
    • all : Import all target
    • schema : Configuration for Security rules
    • servers : Configuration for Server profiles
    • global : Configuration for Global setting
    • history : Configuration for ICAP history
    • auditlog : Configuration for Config history
    • session : Configuration for Security -> Session
    • password-policy : Configuration for Password policy
    • certs : Configuration for Certificates. Notes: Make sure the path in the config file is valid in the container (unsupported this from MD ICAP Server v5.2.0)
    • ssl : Configuration for Security. It is used to enable/disable HTTPS/ICAPS/NGINXS (unsupported this from MD ICAP Server v5.2.0)
    • user-management : Configuration for User management
    • email: Configuration for Email Server
    • nginx: Configuration for NGINX Communication

The all, user-management target will override HTTPS_CERT_PATH, ICAPS_CERT_PATH, NGINX_CERT_PATH, MD_USER, MD_PWD, MD_EMAIL only use it if you know what are you doing. e.g:

IMPORT_CONF_FILE_TARGET='["servers", "schema"]'

HTTPS_SSL_PROTOCOLSThe version of the TLS for HTTPSDefault value is "TLSv1.3" from MD ICAP Server v5.2.0 (previous default is TLS v1.2)
ICAPS_SSL_PROTOCOLSThe version of the TLS for ICAPSDefault value is "TLSv1.3" from MD ICAP Server v5.2.0 (previous default is TLS v1.2)
NGINXS_SSL_PROTOCOLSThe version of the TLS for NGINX CommunicationDefault value is "TLSv1.3" from MD ICAP Server v5.2.0 (previous default is TLS v1.2)
ENABLE_HEALTHCHECKThe feature support for service MD ICAP Server run on Kubernetes

Default value is “true”

  • Supported since MD ICAP Server 5.2.0
ALLOW_CROSS_IP_SESSIONSAllow requests coming from sources different from the authenticated origin.

Default value is “true”

  • Supported since MD ICAP Server 5.2.0
OLMS_HOST_URLDefine the host url of the OPSWAT On Prem Licensing Management Server

Default value is ““

  • Supported since MD ICAP Server 5.2.0
OLMS_REST_PORTDefault REST port for the OLMS service

Default value is “443”

  • Supported since MD ICAP Server 5.2.0
OLMS_RULEDefault rule for active license on the On-Prem License Manager Server

Default value is ““

  • Used for On-prime license manager
  • Supported since MD ICAP Server 5.2.0
OLMS_SOCKET_PORTDefault Socket port for the OLMS service

Default values:

  • Non-secure connection: 3316
  • Secure connection: 13316
OLMS_COMMENTSet the comment for the On-Prem License Manager Server

Default value is ““

  • Supported since MD ICAP Server 5.2.0
OLMS_USE_PROXYoptional

Default: false

If the user want to use proxy for the OLMS activation

Supported since ICAP v5.6.0

OLMS_PROXY_SERVERoptional

Default: empty string

Proxy server address

This field is required if OLMS_USER_PROXY is set to true

Supported since ICAP v5.6.0

OLMS_PROXY_PORToptional

Default: empty string

Proxy port

This field is required if OLMS_USER_PROXY is set to true

Supported since ICAP v5.6.0

OLMS_PROXY_PROXY_TYPEoptional

Default: empty string

Proxy type. Accepted values:

  • socks4
  • socks5
  • http

This field is required if OLMS_USER_PROXY is set to true

Supported since ICAP v5.6.0

OLMS_PROXY_USERNAMEoptional

Default: empty string

Proxy username

Supported since ICAP v5.6.0

OLMS_PROXY_PASSWORDoptional

Default: empty string

Proxy password

Supported since ICAP v5.6.0

ENABLE_NGINXEnable nginx communication with the variable environment

Default value is “false”

  • Supported since MD ICAP Server 5.2.0
DB_MODEDatabase modeRequired
DB_TYPEDatabase typeRequired
DB_HOSTDatabase hostRequired
DB_PORTDatabase portRequired
DB_USERDatabase userRequired
DB_PWDDatabase passwordRequired
MDICAPSRV_INSTANCE_NAMEInstance nameOptional

The priority for overriding configs is: single environmental variable < JSON environmental variable (IGNITION_JSON, ICAP_CONF_JSON)

For example, the following command will start a container with restport=8009

docker run -it --name mdicapsrv -p 8048:8009 \

-e REST_PORT=8010 \

-e IGNITION_JSON='{"user/name": "admin", "user/password": "admin", "user/email": "admin@local"}' \

-e ICAP_CONF_JSON='{"global/restport": "8009", "logger/loglevel": "info"}' \

-e ICAP_DATA_PATH=/home/icap_data_dir \

-e DB_MODE=4 \

-e DB_TYPE=remote \

-e DB_HOST=10.40.50.99 \

-e DB_PORT=5432 \

-e DB_USER=postgres \

-e DB_PWD=admin \

opswat/metadefendericapsrv-centos:5.1.1

Option 2:-v <ignition_folder>:<container_ignition_folder> - (optional) mounting the folder containing the ignition file to the container’s folder

  • <ignition_folder> - ignition folder path containing the ignition file <ignition_folder>/ometascan.conf

  • <container_ignition_folder> container’s folder to be mounted to /opt/ometascan/core_data/opswat (by default)

Example:

Setup the first admin

  • user = admin
  • password = admin
  • email = admin@local
  • apikey = e276cc32f85b6bf312e7a47d6fc5d530f42e

Option 1 - using environmental variables

run
Copy

Option 2 - using the ignition file

run
Copy

Volumes

NameDetailDefault
OS_CERTS_STORE_PATH

Where OS use for store the certificates

Needed when read-only file system or non-root privileges

CentOS

/etc/pki/ca-trust

Debian

/etc/ssl/certs

OS_CERTS_INSTALL_PATH

Where OS read the certificates to install

Needed when read-only file system or non-root privileges

CentOS

/etc/pki/ca-trust/source/anchors/

Debian

/usr/local/share/ca-certificates/

SYSTEM_DIRTemp system path for ICAP Server running/opt/mdicapsrv/system
ICAP_DATA_PATHA full path to the folder (in the container) storing all writable data (engine data, logs, runtime data, etc.)./opt/mdicapsrv/icap_data
PW_PATHStore users and groups to which users belong under Linux and UNIX operating system (/etc/group, /etc/passwd)/mdicapsrv/pw
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Using build tool kit with your own docker image
On This Page
Docker image published on OPSWAT Docker HubPull from the OPSWAT Docker Hub repositoryRun MetaDefender ICAP Server docker image[Parameter] Container Name[Parameter] Init Details (Environmental Variables & Ignition File)Volumes