/
clamav.Dockerfile
30 lines (23 loc) · 1.3 KB
/
clamav.Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
FROM alpine:3.13
# Consistency across Lambda containers
ENV LANG en_US.UTF-8
# clamav-libunrar is for freshclam. Maybe FROM alpine:3.11 after fetch is done to get rid of it
RUN apk --no-cache add \
clamav-daemon \
clamav-libunrar
# lambda_clamav and lambda_clamav_downloader are different users so that lambda_clamav doesn't need to have
# write access to the database files.
# Make sure to make any changes to freshclam's dockerfile too!
RUN addgroup -g 667 -S lambda_clamav && \
adduser -S -s /sbin/nologin -G lambda_clamav -u 667 -H -D lambda_clamav && \
adduser -S -s /sbin/nologin -G lambda_clamav -u 668 -H -D lambda_clamav_downloader && \
mkdir -p /data/clamdb && chown lambda_clamav_downloader:lambda_clamav /data/clamdb && \
chmod 750 /data/clamdb
COPY --chown=lambda_clamav:lambda_clamav ./clamd.conf /clamconf/clamd.conf
RUN chmod 400 /clamconf/clamd.conf
# We don't get a freshclam daemon since this is a container. Download the files manually.
# TODO Maybe run freshclam in another container? Then send SIGUSR2 somehow to make it reload the sig databases
USER lambda_clamav_downloader
RUN freshclam --stdout --log=/dev/stdout --daemon-notify=/dev/null --datadir=/data/clamdb && chmod 640 /data/clamdb/*
USER lambda_clamav
CMD ["/usr/sbin/clamd", "--config-file=/clamconf/clamd.conf"]