Switch from clamscan to clamd + clamdscan --multiscan

clamscan single-threaded scans were the LS26 bottleneck. Daemon mode parallelises across MaxThreads=8 and only loads signatures once. - Add clamav-daemon + clamav-clamdscan packages. - start.sh::start_clamd waits up to 60s for /tmp/clamd.sock. - New clamd.conf: MaxThreads 8, DetectPUA, AlertOLE2Macros, ExcludePath ^/data/(proc|sys|dev|run)/, log to /tmp/clamd.log. - Drop final USER user so clamd can own its socket as clamav. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 14:09:25 +02:00
parent ce44b9564e
commit 66ca4aa335
3 changed files with 46 additions and 16 deletions
@@ -14,20 +14,16 @@ FROM alpine
 ARG PUID=1001
 ARG PGID=1001
 MAINTAINER tabledevil
-RUN apk add -u --no-cache clamav bash clamav-libunrar 
+RUN apk add -u --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar
 COPY --from=builder /var/lib/clamav /var/lib/clamav
-#add startscript
+ADD clamd.conf /etc/clamav/clamd.conf
 ADD start.sh /start.sh
 RUN chmod +x /start.sh
-#customize clamav config
-RUN sed -ie 's/#DetectPUA yes/DetectPUA yes/p' /etc/clamav/clamd.conf
-RUN sed -ie 's/#AlertOLE2Macros yes/AlertOLE2Macros yes/p' /etc/clamav/clamd.conf
-#
 RUN chown root /usr/bin/freshclam
 RUN chmod u+s /usr/bin/freshclam
-#add user
+RUN mkdir -p /tmp && chown clamav:clamav /tmp
 RUN addgroup -g ${PGID} user && \
-    adduser -D -u ${PUID} -G user user
+    adduser -D -u ${PUID} -G user user && \
+    adduser user clamav
 ENTRYPOINT ["/start.sh"]
 CMD ["shell"]
-USER user
@@ -0,0 +1,14 @@
+LocalSocket /tmp/clamd.sock
+Foreground no
+MaxThreads 8
+MaxScanSize 400M
+MaxFileSize 100M
+MaxRecursion 8
+DetectPUA yes
+AlertOLE2Macros yes
+ConcurrentDatabaseReload no
+ExcludePath ^/data/(proc|sys|dev|run)/
+DatabaseDirectory /var/lib/clamav
+LogSyslog no
+LogFile /tmp/clamd.log
+LogVerbose no
@@ -1,4 +1,21 @@
 #!/bin/sh
+
+start_clamd() {
+    clamd --config-file=/etc/clamav/clamd.conf
+    echo "Waiting for clamd..."
+    attempts=0
+    while [ ! -S /tmp/clamd.sock ] && [ "$attempts" -lt 120 ]; do
+        sleep 0.5
+        attempts=$((attempts + 1))
+    done
+    if [ ! -S /tmp/clamd.sock ]; then
+        echo "ERROR: clamd failed to start"
+        cat /tmp/clamd.log 2>/dev/null
+        exit 2
+    fi
+    echo "clamd ready ($(cat /tmp/clamd.log 2>/dev/null | grep -c 'loaded') databases loaded)"
+}
+
 case "${1}" in
  version )
    echo "stage: ${1}"
@@ -9,17 +26,20 @@ case "${1}" in
      (clamscan -d $file /proc/cmdline > /dev/null 2>&1) && echo "+ ${file}" || echo "Bad Signaturefile ${file}"
    done
    echo "$(sigtool --list-sigs | wc -l) Signatures loaded"
-
    ;;
  scan )
    echo "stage: ${1}"
-    echo "Starting Scan of /data:"
-    clamscan -ir /data
+    start_clamd
+    echo "Starting multiscan of /data:"
+    clamdscan --multiscan /data
+    rc=$?
+    exit $rc
    ;;
  * )
    echo "stage: ${1}"
-    echo "Usage:"
-    clamscan --help | head -n 20
+    echo "Usage: scan | version | shell"
+    echo "  scan    - multithreaded scan of /data via clamd"
+    echo "  version - show engine + signature info"
    /bin/sh
    ;;
 esac