From 66ca4aa3355fbb3d67ef0e02bccd963ce0e13c10 Mon Sep 17 00:00:00 2001 From: tobias Date: Tue, 5 May 2026 14:09:25 +0200 Subject: [PATCH] Switch from clamscan to clamd + clamdscan --multiscan clamscan single-threaded scans were the LS26 bottleneck. Daemon mode parallelises across MaxThreads=8 and only loads signatures once. - Add clamav-daemon + clamav-clamdscan packages. - start.sh::start_clamd waits up to 60s for /tmp/clamd.sock. - New clamd.conf: MaxThreads 8, DetectPUA, AlertOLE2Macros, ExcludePath ^/data/(proc|sys|dev|run)/, log to /tmp/clamd.log. - Drop final USER user so clamd can own its socket as clamav. Co-Authored-By: Claude Opus 4.7 (1M context) --- Dockerfile | 14 +++++--------- clamd.conf | 14 ++++++++++++++ start.sh | 34 +++++++++++++++++++++++++++------- 3 files changed, 46 insertions(+), 16 deletions(-) create mode 100644 clamd.conf diff --git a/Dockerfile b/Dockerfile index 255510a..4529b8f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,20 +14,16 @@ FROM alpine ARG PUID=1001 ARG PGID=1001 MAINTAINER tabledevil -RUN apk add -u --no-cache clamav bash clamav-libunrar +RUN apk add -u --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar COPY --from=builder /var/lib/clamav /var/lib/clamav -#add startscript +ADD clamd.conf /etc/clamav/clamd.conf ADD start.sh /start.sh RUN chmod +x /start.sh -#customize clamav config -RUN sed -ie 's/#DetectPUA yes/DetectPUA yes/p' /etc/clamav/clamd.conf -RUN sed -ie 's/#AlertOLE2Macros yes/AlertOLE2Macros yes/p' /etc/clamav/clamd.conf -# RUN chown root /usr/bin/freshclam RUN chmod u+s /usr/bin/freshclam -#add user +RUN mkdir -p /tmp && chown clamav:clamav /tmp RUN addgroup -g ${PGID} user && \ - adduser -D -u ${PUID} -G user user + adduser -D -u ${PUID} -G user user && \ + adduser user clamav ENTRYPOINT ["/start.sh"] CMD ["shell"] -USER user diff --git a/clamd.conf b/clamd.conf new file mode 100644 index 0000000..9bcc71a --- /dev/null +++ b/clamd.conf @@ -0,0 +1,14 @@ +LocalSocket /tmp/clamd.sock +Foreground no +MaxThreads 8 +MaxScanSize 400M +MaxFileSize 100M +MaxRecursion 8 +DetectPUA yes +AlertOLE2Macros yes +ConcurrentDatabaseReload no +ExcludePath ^/data/(proc|sys|dev|run)/ +DatabaseDirectory /var/lib/clamav +LogSyslog no +LogFile /tmp/clamd.log +LogVerbose no diff --git a/start.sh b/start.sh index 6be4643..57087b4 100644 --- a/start.sh +++ b/start.sh @@ -1,25 +1,45 @@ #!/bin/sh + +start_clamd() { + clamd --config-file=/etc/clamav/clamd.conf + echo "Waiting for clamd..." + attempts=0 + while [ ! -S /tmp/clamd.sock ] && [ "$attempts" -lt 120 ]; do + sleep 0.5 + attempts=$((attempts + 1)) + done + if [ ! -S /tmp/clamd.sock ]; then + echo "ERROR: clamd failed to start" + cat /tmp/clamd.log 2>/dev/null + exit 2 + fi + echo "clamd ready ($(cat /tmp/clamd.log 2>/dev/null | grep -c 'loaded') databases loaded)" +} + case "${1}" in version ) echo "stage: ${1}" clamscan --version clamconf | sed -ne '/Database information/,/^$/p' - for file in /var/lib/clamav/* ; + for file in /var/lib/clamav/* ; do - (clamscan -d $file /proc/cmdline > /dev/null 2>&1) && echo "+ ${file}" || echo "Bad Signaturefile ${file}" + (clamscan -d $file /proc/cmdline > /dev/null 2>&1) && echo "+ ${file}" || echo "Bad Signaturefile ${file}" done echo "$(sigtool --list-sigs | wc -l) Signatures loaded" - ;; scan ) echo "stage: ${1}" - echo "Starting Scan of /data:" - clamscan -ir /data + start_clamd + echo "Starting multiscan of /data:" + clamdscan --multiscan /data + rc=$? + exit $rc ;; * ) echo "stage: ${1}" - echo "Usage:" - clamscan --help | head -n 20 + echo "Usage: scan | version | shell" + echo " scan - multithreaded scan of /data via clamd" + echo " version - show engine + signature info" /bin/sh ;; esac