clamav broken by update (clamd won't start)

[xenium]

I have a CentOS 7 mail server that has been running without problems for some time.

I just ran a yum update and made no other configuration changes. After the update I now have the following clamav related packages installed (all from epel):

Code: Select all

# rpm -qa | grep clamav
clamav-filesystem-0.99.2-1.el7.noarch
clamav-0.99.2-1.el7.x86_64
clamav-data-0.99.2-1.el7.noarch
clamav-update-0.99.2-1.el7.x86_64
clamav-lib-0.99.2-1.el7.x86_64
clamav-server-0.99.2-1.el7.x86_64

Clamd now won't start with the following logged in /var/log/messages:

Code: Select all

Aug  4 13:32:45 colo1 systemd: Starting clamd scanner (amavisd) daemon...
Aug  4 13:32:45 colo1 clamd: /usr/sbin/clamd: unrecognized option `--nofork=yes'
Aug  4 13:32:45 colo1 clamd: ERROR: Unknown option passed
Aug  4 13:32:45 colo1 clamd: ERROR: Can't parse command line options
Aug  4 13:32:45 colo1 systemd: clamd@amavisd.service: main process exited, code=exited, status=1/FAILURE

Before I go grepping for that string and hacking up systemd files... what's the right way to fix this? It seems like the nofork feature was removed from this build. I don't recall customizing this when I installed clamav though, and don't see anything about it in my install/maintenance log.

And a related question: why did what should have been a safe automatic update break this production system? Isn't the whole point of upstream to be a security-fixes-between-major-releases-only distro? (Meaning features shouldn't be getting added or removed.) Yes, I can roll-back, but that's not the point. That's the primary reason I've run CentOS all these years. Or is that no longer the case with RHEL?

Thanks!

[TrevorH]

Yes, that seems to be exceptionally well tested before it was promoted from -testing to EPEL! The rogue option is in /usr/lib/systemd/system/clamd.service so the best thing to do is to copy that file to /etc/systemd/system and amend it there to remove the option. Check back when the package clamav-server is next updated. Also worth giving feedback on the package to say it's broken.

[avij]

Note that clamav is not a CentOS package. The ClamAV you are using is coming from EPEL, which is a separate project.

That said, here's the relevant diff between 0.99.1 and 0.99.2

Code: Select all

$ diff -rub old-c/usr/lib/systemd/system/clamd@.service c/usr/lib/systemd/system/clamd@.service
--- old-c/usr/lib/systemd/system/clamd@.service	2016-03-30 01:04:41.000000000 +0300
+++ c/usr/lib/systemd/system/clamd@.service	2016-06-13 20:46:48.000000000 +0300
@@ -4,6 +4,6 @@

 [Service]
 Type = simple
-ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
+ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes
 Restart = on-failure
 PrivateTmp = true

Perhaps making that change to your file will make things work again.

[xenium]

Thanks Trevor,

After I posted I started grepping around and came to the same conclusion (that it was in /usr/lib/systemd/system/clamd.service). That just further convinces me that it wasn't a customization I made, since I would have done that in /etc. It looks like as you said, the package is just broken. Sigh. I'll set up an override in /etc/systemd/system. I hope that whatever the default behavior of the daemon is now is what I need (i.e. I hope that now that they've removed that option that it won't fork by default; I don't know if that will cause problems for amavisd, etc. Ugh, what a mess.)

I'll submit a bug report on Bugzilla for it.

[xenium]

Note that clamav is not a CentOS package. The ClamAV you are using is coming from EPEL, which is a separate project.

I know. I thought proper protocol, since I'm running Cent, was to start here first, and then move upstream if the issue was determined to be there. If this change to the package only effects CentOS and not RHEL users for example, it wouldn't be appropriate to file a big report with Fedora/EPEL. Sorry if I should have started there.

Perhaps making that change to your file will make things work again.

Thanks! That did indeed fix it. That's odd though, I wonder why that change didn't get made to my file during the update? I actually looked for the usual .rpmnew, .rpmsave files and didn't see any, so assumed the package wasn't trying to make any changes there. I'll see if I can find anything in my logs.

Thanks again.

[avij]

That's odd though, I wonder why that change didn't get made to my file during the update? I actually looked for the usual .rpmnew, .rpmsave files and didn't see any, so assumed the package wasn't trying to make any changes there. I'll see if I can find anything in my logs.

Perhaps you had made a copy of the file for amavis. yum can't know of such copies and as such, yum can't update those. Running systemctl enable clamd@amavisd and systemctl start clamd@amavisd would have enabled clamd for amavis without the need to make a separate copy of the file.

[TrevorH]

The package is broken when it is installed. I installed it to check and right out of the box /usr/lib/systemd/system/clamd.service has the offending parameter in it.

[xenium]

The package is broken when it is installed. I installed it to check and right out of the box /usr/lib/systemd/system/clamd.service has the offending parameter in it.

I'll file a Bugzilla to EPEL then. I didn't see an existing one and was starting to file one earlier, but then I saw avij's diff, so I thought it was at my end and aborted filing the report.

[xenium]

Bugzilla filed:

https://bugzilla.redhat.com/show_bug.cgi?id=1364253

[TrevorH]

Ywah, avij have been investigating via IRC and the copy of the unit file that I see is a stray one left over from some previous install of clamav that I did in Nov 2015. I installed the packages and uninstalled them 7 minutes later so I suspect I was looking at a previous clamav problem then. That install seems to have left that file installed even though it should have been removed but I do not know how. Try rpm -qf /usr/lib/systemd/system/clamd.service and if it says "unowned by any package" then you can remove it.