Description of problem: clamav-freshclam.service file contains the following entry: ConditionPathExists=!/etc/cron.d/clamav-freshclam However, the correct file should be: /etc/cron.d/clamav-update The problem allows the cron based updates to run in parallel with this unit / service, which is clearly not the intent. Version-Release number of selected component (if applicable): 0.103.2-1.el7, maybe older How reproducible: Always Steps to Reproduce: 1. Install clamav-update (0.103.2-1.el7) 2. Check for existence of file /etc/cron.d/clamav-update 3. Review contents of file /usr/lib/systemd/system/clamav-freshclam.service Actual results: clamav-freshclam service runs in parallel to the cron job defined in /etc/cron.d/clamav-update Expected results: clamav-freshclam service should not run because of the existence of /etc/cron.d/clamav-update Additional info: Suggest consideration of the following change to clamav-freshclam.service: ConditionPathExists=!/etc/cron.d/clamav-update
FEDORA-EPEL-2021-4526718e50 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-4526718e50
thank you for the report
FEDORA-EPEL-2021-4526718e50 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-4526718e50 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-4526718e50 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.
This fix explicitly breaks the clamav-update functionality. The clamav-freshclam service has a condition of not starting if the file /etc/cron.d/clamav-update exists. However, the clamav-update package PROVIDES the file /etc/cron.d/clamav-update. Therefore by installing the package, the condition for starting the service installed by the package automatically fails. You need to remove the file /etc/cron.d/clamav-update from the package in order for this to work. Please note that /etc/cron.d/clamav-update calls /usr/share/clamav/freshclam-sleep, which in turn reads /etc/sysconfig/freshclam, which will disable the freshclam update functionality if the line 'FRESHCLAM_DELAY=disabled' is present. So perhaps a better solution would be to set that as the default value in /etc/sysconfig/freshclam if you don't want to just remove the /etc/cron.d/clamav-update file...
I propose drop the condition
If the condition is dropped, I think we will end up with /usr/bin/freshclam running from clamav-freshclam.service as a daemon, plus a periodic freshclam running from cron (/etc/cron.d/clamav-update). I think freshclam should run from one or the other, but not both. I guess that the cron option is probably there for backwards compatibility?
I don't know what the best solution is, but the problem is clear - if you put a condition in the service file that states a particular file cannot exist, you cannot ALSO install said file as part of the same package. Because then you're installing broken software. Perhaps instead there needs to be an ExecStartPre script that a) checks for the presence of /etc/cron.d/clamav-update, and if it exists checks for the value of FRESHCLAM_DELAY in /etc/sysconfig/freshclam - if that value is not either 'disabled' or 'disabled-warn', then fail and the service won't start. I'm not saying that freshclam should be able to run both ways, but as installed the freshclam service is explicitly broken. I will point out that the cron job has been removed from the EL8 version of the package, so maybe that's the way to go as well, except that most people are probably relying on it since it's the default...
by https://bugzilla.redhat.com/show_bug.cgi?id=1969240#c5 both services are disabled at install time , we couldn't start systemd service without remove /etc/cron.d/clamav-update , but on every update the file will be add again. another point, before the first fix for this report (2021-06-08), was more or less as if there was no condition and we had no problems
Actually, by default the cron job is enabled - /etc/sysconfig/freshclam has the FRESHCLAM_DELAY= commented out, meaning that when freshclam-sleep is called, it will sleep a random amount of time as calculated using the hostid program. So for anyone not using the clamav-freshclam service, everything still works as before. This is why I suggested using a program to check the value of that environment variable as set in /etc/sysconfig/freshclam - if it's 'disabled' or 'disabled-warn', then the cron job will not actually run freshclam and the clamav-freshclam service should be permitted to start; any other value and the cron job will run freshclam, and the service should refuse to start. But just checking for the presence of the cron file means that you can disable the cron functionality without actually being able to start the service, and that's just poor design.
(In reply to josh from comment #10) > Actually, by default the cron job is enabled - /etc/sysconfig/freshclam has > the FRESHCLAM_DELAY= commented out, meaning that when freshclam-sleep is > called, it will sleep a random amount of time as calculated using the hostid > program. So for anyone not using the clamav-freshclam service, everything > still works as before. This is why I suggested using a program to check the > value of that environment variable as set in /etc/sysconfig/freshclam - if > it's 'disabled' or 'disabled-warn', then the cron job will not actually run > freshclam and the clamav-freshclam service should be permitted to start; any > other value and the cron job will run freshclam, and the service should > refuse to start. But just checking for the presence of the cron file means > that you can disable the cron functionality without actually being able to > start the service, and that's just poor design. ok, I misread at first time , I guess I haven't read correctly the "if the line 'FRESHCLAM_DELAY=disabled' is present" . People can add FRESHCLAM_DELAY=disabled to /etc/sysconfig/freshclam and disable old_freshclam stuff. and just enable clamav-freshclam service. The condition on clamav-freshclam service as you propose is the right way but I don't see how is done. So I think revert the changed on clamav-0.103.2-2.el7 it is the best solution for now BTW https://src.fedoraproject.org/rpms/clamav/pull-request/18 My initial propose was just remove old_freshclam stuff but was not accepted .
Here's how you can replace the condition if you want to try and actively prevent both the cron job and service from running at the same time: 1. Replace the condition line in the service file with this line in the [Service] section: ExecStartPre=/path/to/script/freshclam-croncheck.sh (or whatever) 2. Add the script /path/to/script/freshclam-croncheck.sh (again, or whatever) as follows: #!/bin/bash . /etc/sysconfig/freshclam if [[ "${FRESHCLAM_DELAY}" =~ "disabled" ]] then exit 1 fi exit 0 If you want to be more precise and only work if the exact terms are used, change the if line to this: if [[ "${FRESHCLAM_DELAY}" == "disabled" ]] || [[ "${FRESHCLAM_DELAY}" == "disabled-warn" ]] Either way, if the script exits non-zero, it will prevent the ExecStart command from being run and the service will be marked as failed. But reverting to remove the condition works too. Also, I haven't actually tested the above, but in theory it should work. Thanks.
FEDORA-EPEL-2021-c3dde95087 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c3dde95087
FEDORA-EPEL-2021-c3dde95087 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c3dde95087 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-01e7b83241 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-01e7b83241 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-01e7b83241 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.