Moved the PID and socket file location to /tmp so the container can run as clamav user.

Updated docker-entrypoint.sh script to look for the PID files in /tmp

Dockerfile

@@ -53,8 +53,8 @@ RUN apk add --no-cache \
        "/clamav/usr/lib/pkgconfig/" \
     && \
     sed -e "s|^\(Example\)|\# \1|" \
-        -e "s|.*\(PidFile\) .*|\1 /run/lock/clamd.pid|" \
-        -e "s|.*\(LocalSocket\) .*|\1 /run/clamav/clamd.sock|" \
+        -e "s|.*\(PidFile\) .*|\1 /tmp/clamd.pid|" \
+        -e "s|.*\(LocalSocket\) .*|\1 /tmp/clamd.sock|" \
         -e "s|.*\(TCPSocket\) .*|\1 3310|" \
         -e "s|.*\(TCPAddr\) .*|#\1 0.0.0.0|" \
         -e "s|.*\(User\) .*|\1 clamav|" \
@@ -62,19 +62,19 @@ RUN apk add --no-cache \
         -e "s|^\#\(LogTime\).*|\1 yes|" \
         "/clamav/etc/clamav/clamd.conf.sample" > "/clamav/etc/clamav/clamd.conf" && \
     sed -e "s|^\(Example\)|\# \1|" \
-        -e "s|.*\(PidFile\) .*|\1 /run/lock/freshclam.pid|" \
+        -e "s|.*\(PidFile\) .*|\1 /tmp/freshclam.pid|" \
         -e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \
         -e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \
         -e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \
         -e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \
         "/clamav/etc/clamav/freshclam.conf.sample" > "/clamav/etc/clamav/freshclam.conf" && \
     sed -e "s|^\(Example\)|\# \1|" \
-        -e "s|.*\(PidFile\) .*|\1 /run/lock/clamav-milter.pid|" \
+        -e "s|.*\(PidFile\) .*|\1 /tmp/clamav-milter.pid|" \
         -e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \
         -e "s|.*\(User\) .*|\1 clamav|" \
         -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \
         -e "s|^\#\(LogTime\).*|\1 yes|" \
-        -e "s|.*\(\ClamdSocket\) .*|\1 unix:/run/clamav/clamd.sock|" \
+        -e "s|.*\(\ClamdSocket\) .*|\1 unix:/tmp/clamd.sock|" \
         "/clamav/etc/clamav/clamav-milter.conf.sample" > "/clamav/etc/clamav/clamav-milter.conf" || \
     exit 1 && \
     ctest -V
@@ -104,8 +104,9 @@ RUN apk add --no-cache \
         zlib \
     && \
     addgroup -S "clamav" && \
-    adduser -D -G "clamav" -h "/var/lib/clamav" -s "/bin/false" -S "clamav" && \
-    install -d -m 755 -g "clamav" -o "clamav" "/var/log/clamav"
+    adduser -D -G "clamav" -h "/var/lib/clamav" -s "/bin/false" -u 100 -S "clamav" && \
+    install -d -m 755 -g "clamav" -o "clamav" "/var/log/clamav" && \
+    chown -R clamav:clamav /var/lib/clamav
 
 COPY --from=builder "/clamav" "/"
 COPY "./dockerfiles/clamdcheck.sh" "/usr/local/bin/"
@@ -114,3 +115,5 @@ COPY "./dockerfiles/docker-entrypoint.sh" "/init"
 HEALTHCHECK --start-period=6m CMD "clamdcheck.sh"
 
 ENTRYPOINT [ "/init" ]
+
+USER clamav

dockerfiles/docker-entrypoint.sh

@@ -10,13 +10,6 @@
 
 set -eu
 
-if [ ! -d "/run/clamav" ]; then
-	install -d -g "clamav" -m 775 -o "clamav" "/run/clamav"
-fi
-
-# Assign ownership to the database directory, just in case it is a mounted volume
-chown -R clamav:clamav /var/lib/clamav
-
 # run command if it is not starting with a "-" and is an executable in PATH
 if [ "${#}" -gt 0 ] && \
    [ "${1#-}" = "${1}" ] && \
@@ -31,10 +24,6 @@ else
 	fi
 	# else default to running clamav's servers
 
-	# Help tiny-init a little
-	mkdir -p "/run/lock"
-	ln -f -s "/run/lock" "/var/lock"
-
 	# Ensure we have some virus data, otherwise clamd refuses to start
 	if [ ! -f "/var/lib/clamav/main.cvd" ]; then
 		echo "Updating initial database"
@@ -43,11 +32,11 @@ else
 
 	if [ "${CLAMAV_NO_CLAMD:-false}" != "true" ]; then
 		echo "Starting ClamAV"
-		if [ -S "/run/clamav/clamd.sock" ]; then
-			unlink "/run/clamav/clamd.sock"
+		if [ -S "/tmp/clamd.sock" ]; then
+			unlink "/tmp/clamd.sock"
 		fi
 		clamd --foreground &
-		while [ ! -S "/run/clamav/clamd.sock" ]; do
+		while [ ! -S "/tmp/clamd.sock" ]; do
 			if [ "${_timeout:=0}" -gt "${CLAMD_STARTUP_TIMEOUT:=1800}" ]; then
 				echo
 				echo "Failed to start clamd"