Ben Argyle via clamav-users wrote:
We're running ClamAV on RHEL 8 from EPEL 8:
clamd-1.0.8-1.el8.x86_64
clamav-freshclam-1.0.8-1.el8.x86_64
clamav-1.0.8-1.el8.x86_64
I know it's old, but that's what we've got to work with. Anyway, we're seeing
an issue where all of our clamd@scan daemons are restarting because of systemd,
sometimes multiple times a day:
# journalctl -u clamd@scan | grep systemd
[...]
Jan 01 03:08:04 cstestapp1 systemd[1]: Stopping clamd scanner (scan) daemon...
Jan 01 03:08:05 cstestapp1 systemd[1]: [email protected]: Succeeded.
[snip]
It seems likely that the "01" restarts are due to logrotate:
/var/log/clamd.scan {
create 644 root root
monthly
compress
missingok
postrotate
systemctl restart clamd@scan >/dev/null 2>&1 || true
endscript
}
But we can't work out what could be causing all of the other ones. We've
probably ruled out OOM issues (nothing in /var/log/messages or 'dmesg'). Any
ideas what else I can look for, or what could be causing them?
Based on the hassles I had building a custom package for use here, I
would guess systemd "socket activation", which is inexplicably enabled
at least in the Debian stock packages.
clamd is very much a Very Bad use case for socket activation.
It's been a while since I piloted a RPM-based distro, but IIRC "rpm -ql
clamd" should tell you what files got installed. "rpm -q --scripts
clamd" should show any pre/post-install scripts. Look for .service and
.sock(et?) files under (/usr)/lib/systemd/system. (No idea which
variation(s) might show up on RHEL.)
"systemctl edit clamd.[service|socket]" should also at least let you see
what's configured, even if you can't find the original .service or
.socket definitions.
-kgd
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
