Merge pull request #46 from ajilach/44-non-root-support

read-only non-root support

Dockerfile

@@ -1,7 +1,7 @@
 FROM golang:alpine3.19 as build
 
 # Update libraries
-RUN apk update upgrade 
+RUN apk update && apk upgrade
 
 # Set workdir
 WORKDIR /go/src
@@ -16,7 +16,7 @@ FROM alpine:3.19
 COPY --from=build /go/src/clamav-rest/clamav-rest /usr/bin/
 
 # Update & Install tzdata
-RUN  apk update upgrade && apk add --no-cache tzdata
+RUN apk update && apk upgrade && apk add --no-cache tzdata
 
 # Enable Bash & logrotate
 RUN apk add bash logrotate
@@ -42,9 +42,13 @@ RUN freshclam --quiet --no-dns
 
 COPY entrypoint.sh /usr/bin/
 
+RUN mkdir /clamav \
+    && chown -R clamav.clamav /clamav \
+    && chown -R clamav.clamav /var/log/clamav \
+    && chown -R clamav.clamav /run/clamav
+
 ENV PORT=9000
 ENV SSL_PORT=9443
-
 ENV MAX_SCAN_SIZE=100M
 ENV MAX_FILE_SIZE=25M
 ENV MAX_RECURSION=16
@@ -60,4 +64,6 @@ ENV PCRE_MATCHLIMIT=100000
 ENV PCRE_RECMATCHLIMIT=2000
 ENV SIGNATURE_CHECKS=2
 
+USER clamav
+
 ENTRYPOINT [ "entrypoint.sh" ]

README.md

@@ -20,7 +20,7 @@ This is two in one docker image so it runs open source virus scanner ClamAV (htt
 
 # Updates
 
-As of May 2024, the releases are built for multiple architectures thanks to efforts from [kcirtapfromspace](https://github.com/kcirtapfromspace).
+As of May 2024, the releases are built for multiple architectures thanks to efforts from [kcirtapfromspace](https://github.com/kcirtapfromspace) and support non-root read-only deployments thanks to [robaca](https://github.com/robaca).
 
 The additional endpoint `/version` is now available to check the `clamd` version and signature date. Thanks [pastral](https://github.com/pastral).
 
@@ -45,6 +45,8 @@ The following image tags are available:
 
 # Quick Start
 
+See [this docker-compose file](docker-compose-nonroot.yml) for non-root read-only usage.
+
 Run clamav-rest docker image:
 ```bash
 docker run -p 9000:9000 -p 9443:9443 -itd --name clamav-rest ajilaag/clamav-rest

docker-compose-nonroot.yml

@@ -0,0 +1,19 @@
+version: '2'
+services:
+  clamav-rest:
+    mem_reservation: "2G"
+    mem_limit: "3G"
+    image: ajilaag/clamav-rest
+    ports:
+      - "9000:9000"
+      - "9443:9443"
+    read_only: true
+    user: 100:101
+    volumes:
+      - clamav:/clamav:rw
+      - run-clamav:/run/clamav:rw
+      - var-log-clamav:/var/log/clamav:rw
+volumes:
+  clamav:
+  run-clamav:
+  var-log-clamav:

entrypoint.sh

@@ -1,27 +1,39 @@
 #!/bin/bash
 
+mkdir -p /clamav/etc
+mkdir -p /clamav/data
+mkdir -p /clamav/tmp
+cp /etc/clamav/* /clamav/etc/
+
+sed -i 's/^#DatabaseDirectory .*$/DatabaseDirectory \/clamav\/data/g' /clamav/etc/freshclam.conf
+sed -i 's/^#TemporaryDirectory .*$/TemporaryDirectory \/clamav\/tmp/g' /clamav/etc/clamd.conf
+
 # Replace values with environment variables in clamd.conf
-sed -i 's/^#MaxScanSize .*$/MaxScanSize '"$MAX_SCAN_SIZE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#StreamMaxLength .*$/StreamMaxLength '"$MAX_FILE_SIZE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxFileSize .*$/MaxFileSize '"$MAX_FILE_SIZE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxRecursion .*$/MaxRecursion '"$MAX_RECURSION"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxFiles .*$/MaxFiles '"$MAX_FILES"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxEmbeddedPE .*$/MaxEmbeddedPE '"$MAX_EMBEDDEDPE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxHTMLNormalize .*$/MaxHTMLNormalize '"$MAX_HTMLNORMALIZE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxHTMLNoTags.*$/MaxHTMLNoTags '"$MAX_HTMLNOTAGS"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxScriptNormalize .*$/MaxScriptNormalize '"$MAX_SCRIPTNORMALIZE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxZipTypeRcg .*$/MaxZipTypeRcg '"$MAX_ZIPTYPERCG"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxPartitions .*$/MaxPartitions '"$MAX_PARTITIONS"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#MaxIconsPE .*$/MaxIconsPE '"$MAX_ICONSPE"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#PCREMatchLimit.*$/PCREMatchLimit '"$PCRE_MATCHLIMIT"'/g' /etc/clamav/clamd.conf
-sed -i 's/^#PCRERecMatchLimit .*$/PCRERecMatchLimit '"$PCRE_RECMATCHLIMIT"'/g' /etc/clamav/clamd.conf
+sed -i 's/^#MaxScanSize .*$/MaxScanSize '"$MAX_SCAN_SIZE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#StreamMaxLength .*$/StreamMaxLength '"$MAX_FILE_SIZE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxFileSize .*$/MaxFileSize '"$MAX_FILE_SIZE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxRecursion .*$/MaxRecursion '"$MAX_RECURSION"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxFiles .*$/MaxFiles '"$MAX_FILES"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxEmbeddedPE .*$/MaxEmbeddedPE '"$MAX_EMBEDDEDPE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxHTMLNormalize .*$/MaxHTMLNormalize '"$MAX_HTMLNORMALIZE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxHTMLNoTags.*$/MaxHTMLNoTags '"$MAX_HTMLNOTAGS"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxScriptNormalize .*$/MaxScriptNormalize '"$MAX_SCRIPTNORMALIZE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxZipTypeRcg .*$/MaxZipTypeRcg '"$MAX_ZIPTYPERCG"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxPartitions .*$/MaxPartitions '"$MAX_PARTITIONS"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#MaxIconsPE .*$/MaxIconsPE '"$MAX_ICONSPE"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#PCREMatchLimit.*$/PCREMatchLimit '"$PCRE_MATCHLIMIT"'/g' /clamav/etc/clamd.conf
+sed -i 's/^#PCRERecMatchLimit .*$/PCRERecMatchLimit '"$PCRE_RECMATCHLIMIT"'/g' /clamav/etc/clamd.conf
+
+if [ -z "$(ls -A /clamav/data)" ]; then
+  cp /var/lib/clamav/* /clamav/data/
+fi
+
 (
-    freshclam --daemon --checks=$SIGNATURE_CHECKS &
-    clamd &
+    freshclam --config-file=/clamav/etc/freshclam.conf --daemon --checks=$SIGNATURE_CHECKS &
+    clamd --config-file=/clamav/etc/clamd.conf --datadir=/clamav/data &
     /usr/bin/clamav-rest &
 ) 2>&1 | tee -a /var/log/clamav/clamav.log
 
-
 pids=`jobs -p`
 
 exitcode=0
@@ -39,4 +51,4 @@ terminate() {
 trap terminate CHLD
 wait
 
-exit $exitcode
+exit $exitcode