Description of problem:
On a working CentOS 7 system, using yum update to update from clamav-0.99.1-1 to clamav-0.99.2-1 fails to update /usr/lib/systemd/system/clamd@.service file. This file previously contained the paramater "--nofork=yes". This functionality in the clamd daemon has been replaced with "--foreground=yes", so without updating this file, clamd fails on restart.
Version-Release number of selected component (if applicable):
Very. Another user on the CentOS forums was able to install the package on a clean system (as opposed to my upgrade) and reported the installation was broken out of the box:
Steps to Reproduce:
1. yum install clamav
2. systemctl start clamd@amavisd
Aug 4 13:32:45 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug 4 13:32:45 colo1 clamd: /usr/sbin/clamd: unrecognized option `--nofork=yes'
Aug 4 13:32:45 colo1 clamd: ERROR: Unknown option passed
Aug 4 13:32:45 colo1 clamd: ERROR: Can't parse command line options
Aug 4 13:32:45 colo1 systemd: firstname.lastname@example.org: main process exited, code=exited, status=1/FAILURE
Aug 4 14:59:35 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug 4 14:59:35 colo1 systemd: Started clamd scanner (amavisd) daemon.
CentOS forum discussion about this issue:
Marking as urgent because this bug can leave production email servers without antivirus protection, and the symptoms may not manifest until a reboot/service restart... i.e. there may very well be thousands of Internet-facing mail servers with this configuration error in production right now without admin knowledge, as mine was, that will become unprotected upon next restart. (Yikes.)
Current workaround is to manually edit /usr/lib/systemd/system/clamd@.service and replace "--nofork=yes" with "--foreground=yes", or add as an override in /etc/systemd/system/clamd@.service.
I cannot reproduce the /usr/lib/systemd/system/clamd@.service file not getting updated. However, I could see custom clamd@blah service files not getting updated. Looks like you are using clamd@amavisd. However, you should really be doing something like this, if possible:
# cat /email@example.com
Description = Generic clamav scanner daemon
WantedBy = multi-user.target
Or simply enabling clamd@amavisd and starting it. systemd will handle the rest with symlinks.
What is the contents of your firstname.lastname@example.org file?
Jeff, can you please provide the information requested in comment #2?
(In reply to Robert Scheck from comment #3)
> Jeff, can you please provide the information requested in comment #2?
Sorry for the delay, it was more than 6 months ago and sort of fell off my radar.
I do not seem to have a email@example.com file, only a clamd@.service file. This is a production system that I apply updates to monthly, so something may have changed since I filed this bug report. I will spin up a CentOS 7 VM and try to reproduce again and report back shortly. Sorry again for the delay.
Sorry, I spoke too soon. I located firstname.lastname@example.org in /etc/systemd/system/multi-user.target.wants, however it is just a symlink to /usr/lib/systemd/system/clamd@.service, which is the file that I reported not getting updated. That was why I didn't see it a moment ago:
ls -l /email@example.com
lrwxrwxrwx 1 root root 38 Feb 29 2016 /firstname.lastname@example.org -> /usr/lib/systemd/system/clamd@.service
I'm fairly certain I did not set things up this way myself, rather it was set up this way by yum as part of the default installation of the amavisd-new package. Based on the logs I kept when setting up this server, the following is the list of packages I installed via yum. I do not recall making any changes to any systemd files (other than the changes I mentioned above as a workaround to change --nofork=yes to --foreground=yes):
yum install dovecot dovecot-mysql dovecot-pigeonhole spamassassin amavisd-new clamav perl-Razor-Agent opendkim crypto-utils mod_ssl clamav-update lrzip lzop lz4 arj unzoo cabextract p7zip php-mcrypt
Here are the contents of the file that you requested, although again this is the clamd@.service file, email@example.com is just a symlink to this on my system:
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes
Restart = on-failure
PrivateTmp = true
Based on this new info, perhaps I should have filed this bug under the amavisd-new package rather than clamav? Perhaps the amavisd-new package updated firstname.lastname@example.org file because of the symlink, overwriting the clamav package's changes, rather than clamav not updating it as I reported?
Please let me know what else I can provide or do to help out. I can still spin up a new VM and try to reproduce if helpful.
(In reply to Jeff Morris from comment #5)
I also can't reproduced , clamd@.service already have "--foreground=yes" .
I'm going to close as "works for me", feel free to reopen it, if you have more information.
Thanks for the report.