FS#57669 - [clamav] clamav-daemon socket activation doesn't work

Attached to Project: Arch Linux
Opened by Neil Darlow (neildarlow) - Tuesday, 27 February 2018, 19:34 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:15 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
The clamav-daemon service is configured with a dependency on a socket activation. This method of operation doesn't work and isn't recommended by the Clamav developers.

Additional info:

clamav-0.99.3-1

/etc/systemd/system/clamav-daemon.socket.d/override.conf
[Socket]
BindToDevice=tap0
ListenStream=
ListenStream=192.168.1.1:3310

To explain the above. I run clamd to listen on a TUN/TAP interface at address 192.168.1.1. Multiple clients running a clamav-milter instance are on the 192.168.1.x/24 subnet. The BindToInterface assures that clamd only listens on that subnet and forces an After= dependency on the tap0 interface.

Examining the clamav-milter logfiles of the clients shows that no clamd servers are available at one minute intervals.
Executing a systemctl status clamav-daemon.service returns the daemon being in a dead state due to a failed dependency.
clamd does not run.
Executing systemctl start clamav-daemon manually results in clamd starting and the clamav-milter clients then successfully connect.

Prior to the package update which introduced socket activation my use case worked. After the introduction of socket activation operation is broken.

Steps to reproduce:
1) Put the above clamav-daemon.socket drop-in in place
2) Execute systemctl enable clamav-freshclam.service
3) Execute systemctl start clamav-freshclam.service and allow time for the databases to download
4) Execute systemctl enable clamav-daemon.service (which also adds the clamav-daemon.socket symlink)
5) Wait some time and observe that clamav-milter clients cannot connect to clamd and no clamd process is started
6) Execute systemctl start clamav-daemon.service and note that operation proceeds as expected
   clamd.conf (21.3 KiB)
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:15 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/clamav/issues/1
Comment by Levente Polyak (anthraxx) - Tuesday, 27 February 2018, 19:54 GMT
When/who said its not recommended by clamav developers? They just introduced it in 0.99.3 and i ship what upstream creates, can you complain at upstream and post a back-reference to the github ticket here?
Comment by Neil Darlow (neildarlow) - Wednesday, 28 February 2018, 21:34 GMT
There was a post on the clamav-devel mailing list about problems with socket activation. I've done a bit of research and the service and socket file templates were commited 2 years ago. There's a few forum posts kicking-about in relation to socket activation failing with TCP sockets (the template socket file assumes a filesystem socket). I'll investigate further and see if it needs use of the FreeBind=true and ReusePort=true directives.
Comment by Levente Polyak (anthraxx) - Wednesday, 28 February 2018, 21:39 GMT
sounds cool, thanks for the work. however please definitivly bring this upstream and open a github issue (please post the link here)
Comment by Neil Darlow (neildarlow) - Monday, 05 March 2018, 15:00 GMT
Sorry for taking so long to get back on this. My Archlinux system is a production machine and I had to wait for a suitable time to reboot to test my changes.

For network sockets the clamav-daemon.socket file requires two additions:

[Socket]
FreeBind=true
ReusePort=true

The first allows reception of data packets on the socket before the associated daemon starts. Without this setting clamd will not start.
The second permits multiple connections to the socket. I have a feeling that even filesystem socket operation will benefit from having this setting.

I will communicate this information upstream.
Comment by Neil Darlow (neildarlow) - Monday, 05 March 2018, 16:56 GMT
Reported upstream to ClamAV Bugzilla as Bug #12047 - clamav-daemon.socket.in requires additions for network socket operation.
Comment by Ceriel Jacobs (cj1) - Monday, 03 April 2023, 13:48 GMT
This issue seems related to forum https://bbs.archlinux.org/viewtopic.php?id=233951

With ClamAV 1.0.1 I still need to override clamav-daemon.socket with something like:
[Socket]
ListenStream=
ListenStream=/run/clamav/clamd.ctl
ListenStream=127.0.0.1:3310

To get clamd listening at the /etc/clamav/clamd.conf configured TCP port.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...