Bug 1364253

Summary: 0.99.2-1 Update doesn't properly update systemd init files
Product: [Fedora] Fedora EPEL Reporter: Jeff Morris <jeffm592>
Component: clamavAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: epel7CC: janfrode, jeffm592, ms, orion, redhat-bugzilla, rhbugs, sergio, wattersm
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-11 20:20:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Morris 2016-08-04 20:30:57 UTC 
Description of problem:

On a working CentOS 7 system, using yum update to update from clamav-0.99.1-1 to clamav-0.99.2-1 fails to update /usr/lib/systemd/system/clamd@.service file. This file previously contained the paramater "--nofork=yes". This functionality in the clamd daemon has been replaced with "--foreground=yes", so without updating this file, clamd fails on restart.

Version-Release number of selected component (if applicable):

clamav-0.99.2-1

How reproducible:

Very. Another user on the CentOS forums was able to install the package on a clean system (as opposed to my upgrade) and reported the installation was broken out of the box:

https://www.centos.org/forums/viewtopic.php?f=48&t=58763&e=1&view=unread#p248134

Steps to Reproduce:

1. yum install clamav
2. systemctl start clamd@amavisd

Actual results:

Aug  4 13:32:45 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug  4 13:32:45 colo1 clamd: /usr/sbin/clamd: unrecognized option `--nofork=yes'
Aug  4 13:32:45 colo1 clamd: ERROR: Unknown option passed
Aug  4 13:32:45 colo1 clamd: ERROR: Can't parse command line options
Aug  4 13:32:45 colo1 systemd: clamd: main process exited, code=exited, status=1/FAILURE

Expected results:

Aug  4 14:59:35 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug  4 14:59:35 colo1 systemd: Started clamd scanner (amavisd) daemon.

Additional info:

CentOS forum discussion about this issue: 
https://www.centos.org/forums/viewtopic.php?f=48&t=58763

Marking as urgent because this bug can leave production email servers without antivirus protection, and the symptoms may not manifest until a reboot/service restart... i.e. there may very well be thousands of Internet-facing mail servers with this configuration error in production right now without admin knowledge, as mine was, that will become unprotected upon next restart. (Yikes.)
Comment 1 Jeff Morris 2016-08-04 20:35:03 UTC 
Current workaround is to manually edit /usr/lib/systemd/system/clamd@.service and replace "--nofork=yes" with "--foreground=yes", or add as an override in /etc/systemd/system/clamd@.service.
Comment 2 Orion Poplawski 2016-08-18 20:30:40 UTC 
I cannot reproduce the /usr/lib/systemd/system/clamd@.service file not getting updated.  However, I could see custom clamd@blah service files not getting updated.  Looks like you are using clamd@amavisd.  However, you should really be doing something like this, if possible:

# cat /usr/lib/systemd/system/clamd
.include /lib/systemd/system/clamd@.service

[Unit]
Description = Generic clamav scanner daemon

[Install]
WantedBy = multi-user.target

Or simply enabling clamd@amavisd and starting it.  systemd will handle the rest with symlinks.

What is the contents of your clamd file?
Comment 3 Robert Scheck 2017-03-28 19:58:15 UTC 
Jeff, can you please provide the information requested in comment #2?
Comment 4 Jeff Morris 2017-04-01 07:05:51 UTC 
(In reply to Robert Scheck from comment #3)
> Jeff, can you please provide the information requested in comment #2?

Sorry for the delay, it was more than 6 months ago and sort of fell off my radar. 

I do not seem to have a clamd file, only a clamd@.service file. This is a production system that I apply updates to monthly, so something may have changed since I filed this bug report. I will spin up a CentOS 7 VM and try to reproduce again and report back shortly. Sorry again for the delay.
Comment 5 Jeff Morris 2017-04-01 07:29:41 UTC 
Sorry, I spoke too soon. I located clamd in /etc/systemd/system/multi-user.target.wants, however it is just a symlink to /usr/lib/systemd/system/clamd@.service, which is the file that I reported not getting updated. That was why I didn't see it a moment ago:

ls -l /etc/systemd/system/multi-user.target.wants/clamd
lrwxrwxrwx 1 root root 38 Feb 29  2016 /etc/systemd/system/multi-user.target.wants/clamd -> /usr/lib/systemd/system/clamd@.service

I'm fairly certain I did not set things up this way myself, rather it was set up this way by yum as part of the default installation of the amavisd-new package. Based on the logs I kept when setting up this server, the following is the list of packages I installed via yum. I do not recall making any changes to any systemd files (other than the changes I mentioned above as a workaround to change --nofork=yes to --foreground=yes):

yum install dovecot dovecot-mysql dovecot-pigeonhole spamassassin amavisd-new clamav perl-Razor-Agent opendkim crypto-utils mod_ssl clamav-update lrzip lzop lz4 arj unzoo cabextract p7zip php-mcrypt
 
Here are the contents of the file that you requested, although again this is the clamd@.service file, clamd is just a symlink to this on my system:

cat /etc/systemd/system/multi-user.target.wants/clamd
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target
[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes
Restart = on-failure
PrivateTmp = true
[Install]
WantedBy=multi-user.target

Based on this new info, perhaps I should have filed this bug under the amavisd-new package rather than clamav? Perhaps the amavisd-new package updated clamd file because of the symlink, overwriting the clamav package's changes, rather than clamav not updating it as I reported?

Please let me know what else I can provide or do to help out. I can still spin up a new VM and try to reproduce if helpful.
Comment 6 Sergio Basto 2018-01-11 20:20:59 UTC 
(In reply to Jeff Morris from comment #5)
I also can't reproduced , clamd@.service already have "--foreground=yes" . 
I'm going to close as "works for me", feel free to reopen it, if you have more information. 

Thanks for the report.