-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathentrypoint.sh
More file actions
138 lines (110 loc) · 4.02 KB
/
entrypoint.sh
File metadata and controls
138 lines (110 loc) · 4.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/sh
# Entrypoint script for ClamAV REST service
#
# OpenShift Compatible:
# - Runs as non-root user (random UID assigned by OpenShift, always in GID 0)
# - No privilege escalation (no gosu/su)
# - All processes run as the same user
#
# Startup sequence:
# 1. Generate clamd.conf and freshclam.conf from environment variables
# 2. Start clamd with existing definitions (from image)
# 3. Update virus definitions (clamd reloads automatically via NotifyClamd)
# 4. Start freshclam daemon for periodic updates
# 5. Start REST API server
set -e
# =============================================================================
# Generate ClamAV configuration files from environment variables
# =============================================================================
MAX_EXTRACTED_SIZE_MB=${MAX_EXTRACTED_SIZE_MB:-1024}
MAX_SINGLE_FILE_MB=${MAX_SINGLE_FILE_MB:-256}
MAX_RECURSION=${MAX_RECURSION:-16}
MAX_THREADS=${MAX_THREADS:-20}
# How many times per day to check for updates (24=hourly, 12=every 2h, 1=daily)
FRESHCLAM_CHECKS=${FRESHCLAM_CHECKS:-24}
# Config file paths - stored in /var/run/clamav (writable by GID 0)
CLAMD_CONF=/var/run/clamav/clamd.conf
FRESHCLAM_CONF=/var/run/clamav/freshclam.conf
echo "Generating ClamAV configuration files..."
echo " MaxScanSize: ${MAX_EXTRACTED_SIZE_MB}M"
echo " MaxFileSize: ${MAX_SINGLE_FILE_MB}M"
echo " MaxRecursion: ${MAX_RECURSION}"
echo " FreshclamChecks: ${FRESHCLAM_CHECKS}/day"
# Generate clamd.conf
# Note: No "User" directive - runs as container's assigned user
cat > ${CLAMD_CONF} << EOF
# ClamAV daemon configuration
# Generated by entrypoint.sh from environment variables
# Network settings - listen on localhost
TCPSocket 3310
TCPAddr 127.0.0.1
# Database location
DatabaseDirectory /var/lib/clamav
# Logging
LogFile /var/log/clamav/clamd.log
LogTime yes
LogVerbose no
# Run in foreground
Foreground yes
# Scan limits - derived from environment variables
MaxScanSize ${MAX_EXTRACTED_SIZE_MB}M
MaxFileSize ${MAX_SINGLE_FILE_MB}M
MaxRecursion ${MAX_RECURSION}
# Concurrency - critical for high throughput
MaxThreads ${MAX_THREADS}
# Other limits
MaxDirectoryRecursion 20
StreamMaxLength ${MAX_SINGLE_FILE_MB}M
# Temp directory for scan operations
TemporaryDirectory /tmp/scans
EOF
# Generate freshclam.conf
cat > ${FRESHCLAM_CONF} << EOF
# Freshclam configuration
# Generated by entrypoint.sh
# Database location
DatabaseDirectory /var/lib/clamav
# Update settings
DatabaseMirror database.clamav.net
# Number of times to check for updates per day (24=hourly, 12=every 2h, 1=daily)
Checks ${FRESHCLAM_CHECKS}
# Notify clamd to reload after updates
NotifyClamd ${CLAMD_CONF}
# Run in foreground when started as daemon
Foreground yes
# Logging
LogTime yes
LogVerbose no
EOF
echo "ClamAV configuration files generated."
# =============================================================================
# Start services
# =============================================================================
# Create log file (required for clamd to start)
touch /var/log/clamav/clamd.log
# Start clamd first with existing definitions (from image)
echo "Starting clamd daemon..."
clamd --config-file=${CLAMD_CONF} &
# Wait for clamd to be ready
echo "Waiting for clamd to load virus definitions..."
max_wait=180
waited=0
while ! clamdscan --config-file=${CLAMD_CONF} --ping 1 2>/dev/null; do
if [ $waited -ge $max_wait ]; then
echo "Error: clamd failed to start within ${max_wait}s"
exit 1
fi
sleep 2
waited=$((waited + 2))
echo " Waiting... (${waited}s)"
done
echo "clamd is ready!"
# Update virus definitions now that clamd is running (NotifyClamd will reload them)
echo "Updating ClamAV virus definitions..."
freshclam --config-file=${FRESHCLAM_CONF} --stdout || echo "Warning: freshclam update failed (continuing with existing definitions)"
# Start freshclam daemon for periodic updates
echo "Starting freshclam daemon for automatic updates..."
freshclam --config-file=${FRESHCLAM_CONF} --daemon &
# Start REST server
echo "Starting ClamAV REST server on port ${PORT:-9000}..."
exec ./clamav-rest