Bug 1364253 - 0.99.2-1 Update doesn't properly update systemd init files
Summary: 0.99.2-1 Update doesn't properly update systemd init files
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: clamav
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-04 20:30 UTC by Jeff Morris
Modified: 2018-01-11 20:20 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-11 20:20:59 UTC
Type: Bug


Attachments (Terms of Use)

Description Jeff Morris 2016-08-04 20:30:57 UTC
Description of problem:

On a working CentOS 7 system, using yum update to update from clamav-0.99.1-1 to clamav-0.99.2-1 fails to update /usr/lib/systemd/system/clamd@.service file. This file previously contained the paramater "--nofork=yes". This functionality in the clamd daemon has been replaced with "--foreground=yes", so without updating this file, clamd fails on restart.

Version-Release number of selected component (if applicable):

clamav-0.99.2-1

How reproducible:

Very. Another user on the CentOS forums was able to install the package on a clean system (as opposed to my upgrade) and reported the installation was broken out of the box:

https://www.centos.org/forums/viewtopic.php?f=48&t=58763&e=1&view=unread#p248134

Steps to Reproduce:

1. yum install clamav
2. systemctl start clamd@amavisd

Actual results:

Aug  4 13:32:45 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug  4 13:32:45 colo1 clamd: /usr/sbin/clamd: unrecognized option `--nofork=yes'
Aug  4 13:32:45 colo1 clamd: ERROR: Unknown option passed
Aug  4 13:32:45 colo1 clamd: ERROR: Can't parse command line options
Aug  4 13:32:45 colo1 systemd: clamd@amavisd.service: main process exited, code=exited, status=1/FAILURE

Expected results:

Aug  4 14:59:35 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug  4 14:59:35 colo1 systemd: Started clamd scanner (amavisd) daemon.

Additional info:

CentOS forum discussion about this issue: 
https://www.centos.org/forums/viewtopic.php?f=48&t=58763

Marking as urgent because this bug can leave production email servers without antivirus protection, and the symptoms may not manifest until a reboot/service restart... i.e. there may very well be thousands of Internet-facing mail servers with this configuration error in production right now without admin knowledge, as mine was, that will become unprotected upon next restart. (Yikes.)

Comment 1 Jeff Morris 2016-08-04 20:35:03 UTC
Current workaround is to manually edit /usr/lib/systemd/system/clamd@.service and replace "--nofork=yes" with "--foreground=yes", or add as an override in /etc/systemd/system/clamd@.service.

Comment 2 Orion Poplawski 2016-08-18 20:30:40 UTC
I cannot reproduce the /usr/lib/systemd/system/clamd@.service file not getting updated.  However, I could see custom clamd@blah service files not getting updated.  Looks like you are using clamd@amavisd.  However, you should really be doing something like this, if possible:

# cat /usr/lib/systemd/system/clamd@scan.service
.include /lib/systemd/system/clamd@.service

[Unit]
Description = Generic clamav scanner daemon

[Install]
WantedBy = multi-user.target

Or simply enabling clamd@amavisd and starting it.  systemd will handle the rest with symlinks.

What is the contents of your clamd@amavisd.service file?

Comment 3 Robert Scheck 2017-03-28 19:58:15 UTC
Jeff, can you please provide the information requested in comment #2?

Comment 4 Jeff Morris 2017-04-01 07:05:51 UTC
(In reply to Robert Scheck from comment #3)
> Jeff, can you please provide the information requested in comment #2?

Sorry for the delay, it was more than 6 months ago and sort of fell off my radar. 

I do not seem to have a clamd@amavisd.service file, only a clamd@.service file. This is a production system that I apply updates to monthly, so something may have changed since I filed this bug report. I will spin up a CentOS 7 VM and try to reproduce again and report back shortly. Sorry again for the delay.

Comment 5 Jeff Morris 2017-04-01 07:29:41 UTC
Sorry, I spoke too soon. I located clamd@amavisd.service in /etc/systemd/system/multi-user.target.wants, however it is just a symlink to /usr/lib/systemd/system/clamd@.service, which is the file that I reported not getting updated. That was why I didn't see it a moment ago:

ls -l /etc/systemd/system/multi-user.target.wants/clamd@amavisd.service
lrwxrwxrwx 1 root root 38 Feb 29  2016 /etc/systemd/system/multi-user.target.wants/clamd@amavisd.service -> /usr/lib/systemd/system/clamd@.service

I'm fairly certain I did not set things up this way myself, rather it was set up this way by yum as part of the default installation of the amavisd-new package. Based on the logs I kept when setting up this server, the following is the list of packages I installed via yum. I do not recall making any changes to any systemd files (other than the changes I mentioned above as a workaround to change --nofork=yes to --foreground=yes):

yum install dovecot dovecot-mysql dovecot-pigeonhole spamassassin amavisd-new clamav perl-Razor-Agent opendkim crypto-utils mod_ssl clamav-update lrzip lzop lz4 arj unzoo cabextract p7zip php-mcrypt
 
Here are the contents of the file that you requested, although again this is the clamd@.service file, clamd@amavisd.service is just a symlink to this on my system:

cat /etc/systemd/system/multi-user.target.wants/clamd@amavisd.service
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target
[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes
Restart = on-failure
PrivateTmp = true
[Install]
WantedBy=multi-user.target

Based on this new info, perhaps I should have filed this bug under the amavisd-new package rather than clamav? Perhaps the amavisd-new package updated clamd@amavisd.service file because of the symlink, overwriting the clamav package's changes, rather than clamav not updating it as I reported?

Please let me know what else I can provide or do to help out. I can still spin up a new VM and try to reproduce if helpful.

Comment 6 Sergio Basto 2018-01-11 20:20:59 UTC
(In reply to Jeff Morris from comment #5)
I also can't reproduced , clamd@.service already have "--foreground=yes" . 
I'm going to close as "works for me", feel free to reopen it, if you have more information. 

Thanks for the report.


Note You need to log in before you can comment on or make changes to this bug.