Am 09.11.2017 um 00:13 schrieb Colony.three:
Yes my first posts were not close to the problem, as there was an evolution in
my thinking through the thread. It was only in the last couple posts that I'd
narrowed down the cause.
Well that's a pretty impressive setup. I've gone through line-by-like and made
my system very similar. Now I am getting logging, but in the log over and over:
ERROR: LOCAL: Socket file /run/clamd/clamd.sock could not be bound: No such
file or directory
Same problem, even though my .service file is -forking- now and other settings
are like yours.
that below is a production setup running from 2014 until now on Fedora
with several dist-upgrades - do you have SELinux enabled?
if so try to disable it and if it works then find someone with SELinux
knowledge, i don't touch it after i found strange log entries in my
samba and finally the reason was SELinux killed the iptables service
Type=forking for clamd (Fedora has Type=simple as default) because the
depending services are starting clean - with Type=simple systemd has no
knowledge if the service is initalized, clamd don't respond properly
while loading the signatures and the rest of the mailsystem get started
too soon
-------- Original Message --------
Subject: Re: [clamav-users] clamav-milter Can't Find Clamd
Local Time: November 7, 2017 4:26 PM
UTC Time: November 8, 2017 12:26 AM
From: h.rei...@thelounge.net
To: clamav-users@lists.clamav.net
Am 08.11.2017 um 00:06 schrieb Colony.three:
Am 07.11.2017 um 22:46 schrieb Colony.three:
So much for that theory. There are about a million of these in the logfile.
It's not making its own socket for unknown reasons which may be New To Science.
well, that looks like clamd is restarted again and again because it's
failing, most likely /run/clamd.scan/ don't exist or has the wrong
permissions
Correct, /run/clamd.scan/ does -not- exist. Why? Because the clamd@ service
destroys it on restart. (along with its socket) I could merrily re-create the
directory and socket all day long, but on restart it would only be wiped out
again. Of course the permissions are correct, as per above; it couldn't have
been destroyed by the service otherwise.
"systemctl status" as well as the syslogs should tell you that the
service is failing if you just look at it
are you aware that /run is a tmpfs and hence anything below does not
survive a reboot?
Why yes, I am. As I say, clamd destroys its socket directory on stop, but then
does not re-create it on start, like it's supposed to.
This is the problem which I have been trying to explain
you explained it very bad when you initial post conatins all sort of
config snippets, even milter related ones instead focus on the problem
clamd itself don't start properly - simply becaus ein that case anything
else don't matter until clad is up and running fine and to make it
harder you don#t post your complete systemd-unit, at least not at the
thread start
http://www.catb.org/esr/faqs/smart-questions.html
well, i disabled all the services and made my own units years ago as i
do for any production stuff below /etc/systemd/system/ and be it only to
ensure Type=simple, automatic restart and not start any process as root
when it's not needed to begin with
---------------------------------------------------------------
[root@localhost:~]$ cat /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV Scanner Daemon
[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
Restart=always
RestartSec=1
Nice=5
User=clamscan
Group=clamilt
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=no
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/
ReadWriteDirectories=/run/clamd.scan
ReadWriteDirectories=/run/clamd
ReadWriteDirectories=/var/log
ReadWriteDirectories=/tmp
---------------------------------------------------------------
[root@localhost:~]$ cat /etc/clamd.d/scan.conf
User clamscan
AllowSupplementaryGroups yes
PidFile /run/clamd.scan/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly no
LocalSocket /run/clamd/clamd.sock
LocalSocketMode 0666
MaxConnectionQueueLength 100
StreamMaxLength 35M
StreamMinPort 31000
StreamMaxPort 32000
MaxThreads 10
MaxQueue 50
ReadTimeout 120
CommandReadTimeout 5
SendBufTimeout 200
IdleTimeout 30
ExcludePath ^/proc/
ExcludePath ^/sys/
MaxDirectoryRecursion 20
FollowDirectorySymlinks no
FollowFileSymlinks no
CrossFilesystems yes
SelfCheck 86400
ExitOnOOM yes
Foreground no
Debug no
LeaveTemporaryFiles no
AllowAllMatchScan no
DetectPUA no
AlgorithmicDetection yes
DisableCache no
ScanPE yes
DisableCertCheck yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
OLE2BlockMacros no
ScanPDF yes
ScanSWF yes
ScanMail yes
ScanPartialMessages no
PhishingSignatures yes
PhishingScanURLs no
PhishingAlwaysBlockSSLMismatch no
PhishingAlwaysBlockCloak no
PartitionIntersection no
HeuristicScanPrecedence yes
StructuredDataDetection no
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxScanSize 50M
MaxFileSize 50M
MaxRecursion 10
MaxFiles 10000
MaxEmbeddedPE 10M
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 5M
MaxPartitions 50
MaxIconsPE 100
ScanOnAccess no
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 2000
StatsEnabled no
StatsPEDisabled yes
LogFile /var/log/clamscan.log
LogFileMaxSize 32M
LogTime yes
LogClean no
ExtendedDetectionInfo yes
LogFileUnlock yes
---------------------------------------------------------------
[root@localhost:~]$ cat /etc/systemd/system/clamav-milter.service
[Unit]
Description=ClamAV Postfix-Milter
Wants=clamd.service
After=clamd.service
Before=postfix.service
[Service]
Type=simple
Environment="TMPDIR=/tmp"
ExecStart=/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
User=clamilt
Group=clamilt
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
Nice=5
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/
ReadWriteDirectories=-/run/clamav-milter
ReadWriteDirectories=-/run/clamd
ReadWriteDirectories=-/tmp
ReadWriteDirectories=-/var/log
---------------------------------------------------------------
[root@localhost:~]$ cat /etc/mail/clamav-milter.conf
Postfix Milter-Konfiguration
Pre-Queue Virenscanner
Postfix muss in die "clamilt"-Usergruppe
usermod -a -G clamilt postfix
usermod -a -G sa-milt postfix
User clamilt
AllowSupplementaryGroups yes
MilterSocket /run/clamav-milter/clamav-milter.socket
MilterSocketMode 0660
ClamdSocket unix:/run/clamd/clamd.sock
FixStaleSocket yes
ReadTimeout 120
Foreground yes
TemporaryDirectory /tmp
LocalNet 127.0.0.1
MaxFileSize 35M
OnClean Accept
OnFail Defer
OnInfected Reject
RejectMsg Virus found or dangerous attachment: "%v"
AddHeader Replace
LogFile /var/log/clamav-milter.log
LogFileUnlock yes
LogFileMaxSize 128M
LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose no
LogRotate yes
LogInfected Off
LogClean Off
SupportMultipleRecipients yes
Whitelist /etc/mail/clamav-milter-whitelist.conf
---------------------------------------------------------------
[root@localhost:~]$ cat /etc/tmpfiles.d/clamd.conf
d /run/clamd 0775 clamscan clamilt
---------------------------------------------------------------
[root@localhost:~]$ cat /usr/lib/tmpfiles.d/clamd.scan.conf
d /var/run/clamd.scan 0710 clamscan clamscan
---------------------------------------------------------------
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
