search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.27k stars 692 forks source link

freshclam fails to notify clamd via socket, even though it exists (on Kubernetes) #1268

Open alexanderaltanis opened 4 months ago

alexanderaltanis commented 4 months ago

Describe the bug

I am trying to run a Kubernetes pod based on the clamav/clamav-debian image. I've built my own image based on that one (via FROM clamav/clamav-debian:latest, and then replacing some config files and the /init script with a slightly improved one). The issue should not come from my changes to the /init script, as it happened even before I made those changes (and they have to do with graceful shutdown, and not the actual daemon).

The problem is that even though clamd is running, has created a local socket, and that socket exists, when freshclam tries to notify it to reload the virus databases, I get the following error in the freshclam log:

WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory

However, the socket file exists, and is owned by the correct user and group.

# ls -l /run/clamav/clamd.sock 
srw-rw-rw- 1 clamav clamav 0 May  8 11:21 /run/clamav/clamd.sock

And in fact, I have configured clamd to use that file as a socket, and to use the user clamav (excerpt from /etc/clamav/clamd.conf):

LocalSocket /run/clamav/clamd.sock
User clamav

Freshclam is configured to notify clamd (excerpt from /etc/clamav/freshclam.conf):

NotifyClamd /etc/clamav/clamd.conf

Note that by default the image places the socket in /tmp/clamd.sock. The /tmp directory is owned by root, so I changed it to /run/clamav/clamd.sock, since that directory is owned by clamav and is mentioned in the /init script. The issue appeared just the same with the socket in /tmp (and freshclam then accordingly complained that /tmp/clamd.sock did not exist, which indicates that it is correctly reading /etc/clamav/clamd.conf).

Curiously, if I SSH into the image and run freshclam manually, it manages to notify clamd to reload the database correctly (I use the same arguments for freshclam used by the /init script)! It's only the process started by the init script that fails to do that.

I have no idea what to do as I believe I've followed the documentation and the error message seems to be wrong.

How to reproduce the problem

I don't know how the problem can be reproduced, if you have an idea please let me know and I can present a reproduction.

I can reproduce the problem 100% of the time on my setup. I can provide more information if necessary.

ragusaa commented 3 months ago

Hi,

I am sorry we missed this issue previously, has it been resolved?

Thanks, Andy

vienleidl commented 3 months ago

I use the latest docker image (clamav/clamav), and I've got the same warning message: WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory

ragusaa commented 3 months ago

@vienleidl , and you have confirmed that the socket exists?

micahsnyder commented 3 months ago

This just occurred to me -- If we're talking about this happening immediately on startup, after freshclam updated and before clamd has finished starting up, then don't worry about it. That's just because clamd hasn't finished starting. The next time it updates, clamd will be up and listening and will get the message.

FYI clamd also checks for database changes automatically. By default I think it checks every 10 minutes. Having freshclam send a message to clamd to notify of the change is redundant and just aims to speed up that process.

alexanderaltanis commented 3 months ago

@ragusaa The issue has not been resolved, although I worked around it by using a TCP socket instead of a local socket, even though both freshclam and clamav-daemon are in the same container. That works as expected, although I would say it's important for the local socket to work as well (especially since it's the default).

@micahsnyder thank you for that, I wasn't entirely clear but I am not talking about the update before clamav-daemon starts up fully, I've seen the error you are talking about but I realized that it was because the daemon had not started yet and I ignored that. The issue definitely occurs after the daemon has started, I've explicitly verified it.

As for clamd checking for database changes automatically: I did not notice anything in the clamd log. In fact I left the container running for several days during my attempt to make it work and saw nothing. If I recall correctly, I also checked that the database had not been updated by looking at the output of clamd -V as well, which I read prints the database number.

I checked the manpage of clamd.conf just now, and I assume you're talking about the SelfCheck option, correct? It is indeed set to nothing in my case, which seems to default to 10 minutes. Does that check the database file on disk, if it's been changed? Or does it simply validate the already loaded database in memory? Or perhaps if it reloads via SelfCheck, it doesn't log?

Let me know if you'd like me to double-check that SelfCheck doesn't fix the issue, but I'm pretty sure it didn't.

micahsnyder commented 3 months ago

If you aren't altering the SelfCheck option, I would expect you to see this in the clamd log at startup:

Self checking every 600 seconds

Then every 10 minutes, I'd expect one of these two log messages, depending if there is an update:

SelfCheck: Database status OK.

or

SelfCheck: Database modification detected. Forcing reload.

alexanderaltanis commented 3 months ago

You are actually correct, SelfCheck did in fact work! I hadn't noticed. This issue is still present, then, but it isn't as important. Thank you!