Am 08.11.2017 um 00:06 schrieb Colony.three:
Am 07.11.2017 um 22:46 schrieb Colony.three:
So much for that theory. There are about a million of these in the logfile.
It's not making its own socket for unknown reasons which may be New To Science.
well, that looks like clamd is restarted again and again because it's
failing, most likely /run/clamd.scan/ don't exist or has the wrong
permissions
Correct, /run/clamd.scan/ does -not- exist. Why? Because the clamd@ service
destroys it on restart. (along with its socket) I could merrily re-create the
directory and socket all day long, but on restart it would only be wiped out
again. Of course the permissions are correct, as per above; it couldn't have
been destroyed by the service otherwise.
"systemctl status" as well as the syslogs should tell you that the
service is failing if you just look at it
are you aware that /run is a tmpfs and hence anything below does not
survive a reboot?
Why yes, I am. As I say, clamd destroys its socket directory on stop, but then
does not re-create it on start, like it's supposed to.
This is the problem which I have been trying to explain
you explained it very bad when you initial post conatins all sort of
config snippets, even milter related ones instead focus on the problem
clamd itself don't start properly - simply becaus ein that case anything
else don't matter until clad is up and running fine and to make it
harder you don#t post your complete systemd-unit, at least not at the
thread start
http://www.catb.org/esr/faqs/smart-questions.html
well, i disabled all the services and made my own units years ago as i
do for any production stuff below /etc/systemd/system/ and be it only to
ensure Type=simple, automatic restart and not start any process as root
when it's not needed to begin with
__________________________________________________________________________
[root@localhost:~]$ cat /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV Scanner Daemon
[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
Restart=always
RestartSec=1
Nice=5
User=clamscan
Group=clamilt
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=no
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/
ReadWriteDirectories=/run/clamd.scan
ReadWriteDirectories=/run/clamd
ReadWriteDirectories=/var/log
ReadWriteDirectories=/tmp
__________________________________________________________________________
[root@localhost:~]$ cat /etc/clamd.d/scan.conf
User clamscan
AllowSupplementaryGroups yes
PidFile /run/clamd.scan/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly no
LocalSocket /run/clamd/clamd.sock
LocalSocketMode 0666
MaxConnectionQueueLength 100
StreamMaxLength 35M
StreamMinPort 31000
StreamMaxPort 32000
MaxThreads 10
MaxQueue 50
ReadTimeout 120
CommandReadTimeout 5
SendBufTimeout 200
IdleTimeout 30
ExcludePath ^/proc/
ExcludePath ^/sys/
MaxDirectoryRecursion 20
FollowDirectorySymlinks no
FollowFileSymlinks no
CrossFilesystems yes
SelfCheck 86400
ExitOnOOM yes
Foreground no
Debug no
LeaveTemporaryFiles no
AllowAllMatchScan no
DetectPUA no
AlgorithmicDetection yes
DisableCache no
ScanPE yes
DisableCertCheck yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
OLE2BlockMacros no
ScanPDF yes
ScanSWF yes
ScanMail yes
ScanPartialMessages no
PhishingSignatures yes
PhishingScanURLs no
PhishingAlwaysBlockSSLMismatch no
PhishingAlwaysBlockCloak no
PartitionIntersection no
HeuristicScanPrecedence yes
StructuredDataDetection no
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxScanSize 50M
MaxFileSize 50M
MaxRecursion 10
MaxFiles 10000
MaxEmbeddedPE 10M
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 5M
MaxPartitions 50
MaxIconsPE 100
ScanOnAccess no
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 2000
StatsEnabled no
StatsPEDisabled yes
LogFile /var/log/clamscan.log
LogFileMaxSize 32M
LogTime yes
LogClean no
ExtendedDetectionInfo yes
LogFileUnlock yes
__________________________________________________________________________
[root@localhost:~]$ cat /etc/systemd/system/clamav-milter.service
[Unit]
Description=ClamAV Postfix-Milter
Wants=clamd.service
After=clamd.service
Before=postfix.service
[Service]
Type=simple
Environment="TMPDIR=/tmp"
ExecStart=/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
User=clamilt
Group=clamilt
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
Nice=5
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/
ReadWriteDirectories=-/run/clamav-milter
ReadWriteDirectories=-/run/clamd
ReadWriteDirectories=-/tmp
ReadWriteDirectories=-/var/log
__________________________________________________________________________
[root@localhost:~]$ cat /etc/mail/clamav-milter.conf
# Postfix Milter-Konfiguration
# Pre-Queue Virenscanner
#
# Postfix muss in die "clamilt"-Usergruppe
# usermod -a -G clamilt postfix
# usermod -a -G sa-milt postfix
User clamilt
AllowSupplementaryGroups yes
MilterSocket /run/clamav-milter/clamav-milter.socket
MilterSocketMode 0660
ClamdSocket unix:/run/clamd/clamd.sock
FixStaleSocket yes
ReadTimeout 120
Foreground yes
TemporaryDirectory /tmp
LocalNet 127.0.0.1
MaxFileSize 35M
OnClean Accept
OnFail Defer
OnInfected Reject
RejectMsg Virus found or dangerous attachment: "%v"
AddHeader Replace
LogFile /var/log/clamav-milter.log
LogFileUnlock yes
LogFileMaxSize 128M
LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose no
LogRotate yes
LogInfected Off
LogClean Off
SupportMultipleRecipients yes
Whitelist /etc/mail/clamav-milter-whitelist.conf
__________________________________________________________________________
[root@localhost:~]$ cat /etc/tmpfiles.d/clamd.conf
d /run/clamd 0775 clamscan clamilt
__________________________________________________________________________
[root@localhost:~]$ cat /usr/lib/tmpfiles.d/clamd.scan.conf
d /var/run/clamd.scan 0710 clamscan clamscan
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
