Docker Community Forums

Share and learn in the Docker community.

Docker builds on Linux very slow when antivirus running [FIXED]

We’ve noticed that Docker image builds have slowed down a lot since our IT team installed Sophos antivirus for Linux. A build which took 5 minutes previously now takes 25 minutes. Disabling the antivirus allows the build to complete in the shorter time again. I’m looking for a way to avoid this.

The systemd service that runs the antivirus is named sav-protect and the processes that are busy during the docker build are mtdd and savscand. These are related to real-time scanning of modified files, not scheduled scans. The slowest part of the build is where Docker copies a directory from one intermediate stage of the build to another. I don’t know where these files are stored since it’s all internal to Docker at that point. My guess is that the large number of small files being copied overwhelms the antivirus and causes the slowdown.

The antivirus is set to run with a niceness of 19 (to avoid slowing down CPU-heavy processes) and IT tell me that our Docker data-root (/var/lib/docker) where I would expect all Docker file activity to be taking place is excluded from real-time and scheduled scans.

Can someone confirm that files produced during a Docker build are stored in the data-root? Or is there some other path that I need to add to the antivirus exclusion list?

I’m seeking help from Sophos too but it would help to know exactly which paths are used on the host by Docker for intermediate stages during a build.

check if there are too many files in the build directory , if there is dcoker need to send all the files to the daemon which need also time to finish…

you can ignore the unwanted files using .dockerignore

Before the docker CLI sends the context to the docker daemon, it looks for a file named .dockerignore in the root directory of the context. If this file exists, the CLI modifies the context to exclude files and directories that match patterns in it. This helps to avoid unnecessarily sending large or sensitive files and directories to the daemon and potentially adding them to images using ADD or COPY.

Thanks. Good advice about .dockerignore but not relevant here. The number of files isn’t the problem, at least not directly, and it’s not related to files being copied from the workspace. The slow bit is copying from one image stage to another. In this particular example I’m copying a Python virtual environment that was created in one stage to the next. This directory doesn’t even exist in the build directory since it was created during the build itself.

So I’m really looking for insight into what happens once a build is underway? Where exactly is the antivirus seeing activity?

Fixed it. See the full answer in the Sophos forums.

Sophos on Linux has two different ways of knowing when files are being accessed: Talpa and fanotify. Fanotify is the recommended approach and solves some performance issues. I thought we were already using it because the preferFanotify flag was set but it wasn’t having any effect because the disableFanotify flag was also set. Configuring the antivirus correctly has made the builds run at their normal speed.

Sorry, the link in my previous message is now broken due to changes in the Sophos forums. I can’t figure out how to edit it and can’t find any trace of the page in question :frowning:

It’s strange. Sophos is the best antivirus for Linux. I’ve never met this problem. Incidentally, choosing antivirus for this OS wasn’t difficult for me. Trying to understand what to install on my Windows is another story. I have so many questions. Is PCmatic a good antivirus program or not? Maybe Windows defender is enough? Should I also use something else? Quite a complicated topic, as you see.