[Pkg-clamav-devel] Initial start of clamav-daemon

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sat May 7 14:19:03 UTC 2016 

On 2016-04-22 18:31:10 [+0200], Dilyan Palauzov wrote:
> Hello,
Hi,

> My understanding is that during service start ConditionPathExistsGlob is
> checked once and if it fails, it is not retried, contrary to something like
> ExecStartPre=/bin/bash -c 'while ! [ -s /var/lib/clamav/main.inc -o -s
> /var/lib/clamav/main.cvd -o -s /var/lib/clamav/main.cld ) -a  ( -s
> /var/lib/clamav/daily.inc -o -s /var/lib/clamav/daily.cvs -o -s
> /var/lib/clamav/daily.cld ] ; do sleep 1 ; done ' .

I kind of don't like this.

> For the mentioned reasons with the current configuration clamd is not going
> to start automatically, once freshclam has downloaded all the files.
> 
> I propose removing the ConditionPathExistsGlob from
> clamav-daemon.s(ervice,ocket). Then, once freshclam is ready, it will notify
> clamd over the socket, systemd will start clamd because of
> clamav-daemon.socket  and everything is fine.  If somebody tries to contact
> the socket before freshclam is ready, and clamd starts and fails due to
> missing databases, we have the current situation: in order to start clamd,
> it has to be restarted manually, once the databases have been downloaded.
> So removing ConditionPathExistsGlob is an improvement, as it boots the
> system correctly in more cases, than now.

Now that I had the time to look at this. Removing the glob from socket
could bring #775458. Not sure if we get the same behaviour if we remove
the glob from both.
I just tried this on my Jessie VM and I don't see the problem:
install both, start the daemon:
|root at deb8i386:~# systemctl status clamav-daemon.service
|● clamav-daemon.service - Clam AntiVirus userspace daemon
|   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
|   Active: inactive (dead) since Sat 2016-05-07 16:04:03 CEST; 2min 3s ago
|           start condition failed at Sat 2016-05-07 16:04:29 CEST; 1min 37s ago
|           ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not met
|     Docs: man:clamd(8)
|           man:clamd.conf(5)
|           http://www.clamav.net/lang/en/doc/
|  Process: 1919 ExecStart=/usr/sbin/clamd --foreground=true (code=exited, status=0/SUCCESS)
| Main PID: 1919 (code=exited, status=0/SUCCESS)

does not work yet. Wait for freshclam. Try start again and then:
|root at deb8i386:~# systemctl status clamav-daemon.service
|● clamav-daemon.service - Clam AntiVirus userspace daemon
|   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
|   Active: active (running) since Sat 2016-05-07 16:06:09 CEST; 1s ago
|     Docs: man:clamd(8)
|           man:clamd.conf(5)
|           http://www.clamav.net/lang/en/doc/
| Main PID: 1972 (clamd)
|   CGroup: /system.slice/clamav-daemon.service
|           └─1972 /usr/sbin/clamd --foreground=true

This problem of manual start is only there after a fresh install. On
SystemV we print a warning/error message so the user does a manual start.
Maybe we should do the same for SystemD or document it better.

Now you have just the pain start it manually once freshclam is done.
If we would allow to start clamd with an empty database then you would
have your auto trigger from freshclam. And what about exim/postfix
asking for the socket to scan something? I *think* we could reject them
until the dabase is available. After all the system is not yet properly
setup. All requested for the socket would be rejected anyway.

> Greetings
>   Dilian

Sebastian

More information about the Pkg-clamav-devel mailing list