Make sure clamav automatically updates

[ZaxLofful]

Clamav doesn't update itself and this is causing issues.

[ubellavance]

I think that you can simply override the *_version parameters in your config. I don't agree that a module should use "latest".

[ZaxLofful]

Why would you want software that is intended for security to be out-of-date with the repo the OS uses?

Since Puppet doesn't allow duplicate entries, we cannot add a second module to cover this. Due to this, the only way to mange the version is to just run "yum update clamav" every night.

If this is possible already, your documentation doesn't list those parameters as configurable at runtime; please add it to your documentation.

If there was a way to configure the version you wanted as a parameter or just "latest" that would be fine too.

In its currently state you basically cannot mange the version one way or the other,

[ubellavance]

Because updates break things. It may be acceptable in small businesses, but in larger organizations updates are tested in different stages before making it to production servers; production servers will never get the updates the second it is available. And yes, I have seen the mix of clamav/clamd/clamav-milter break during updates.

Why do you say that the parameters aren't listed as configurable at runtime? Did you see such a list? I think that all params in params.pp can be changed in your manifests.

BTW, it's not my documentation... It's not "my" module, and this is a public module, so you can contribute to the documentation if you see the need.

Can you tell how you use this module in your manifests?

Have you tried something like this?

class { 'clamav':
  clamav_version               => true,
}

[ZaxLofful]

Apologies I thought you were the original author. The whole point of allowing those parameters to be listed in the documentation and normally available, is so that someone could use this value easily. Without having to dig through the code like I did.

I work for a big ORG, so that anecdote is not valid. You just have a different opinion, you won't affect production workloads like this, since ClamAV will never break so hard the system will go down. The only thing that can happen is ClamAV itself just stops working, which can be mitigated with DEV/PROD.

I use auto-updates in all of my projects, it just means you need to have a few extra things in place to handle it; like CI/CD QA...

The mentality of "don't allow auto-updates because it will break something" is a tagline for the early 2000's there are many ways to avoid the pitfall you mentioned and still be automatically up-to-date.

I run 1000s of containers and every single one is set to "latest."

[ubellavance]

ClamAV will never break so hard the system will go down? In my case, the SMTP server stopped processing mail. We only manually updated one of our 2 SMTP servers so the service wasn't really impacted. That's a primitive way of doing QA but that is what we have for now.

But you and I are saying the same thing: auto updates are OK in dev, QA, and then production, not blindly set all systems to auto-updates, including production.

Unfortunately, most Puppet modules don't document available parameters. I understand the value, but authors/contributors don't take time to do it, even if there are tools like puppet-strings to help. The first thing to look at is the params.pp, or the file that corresponds to the class you want to configure (server.pp for example). One example of a module that lists all the params is the puppetdb module

I understand that you have found how to override the parameter, now? If you need help with anything else regarding Puppet, I suggest you ask on the Puppet Slack community. There are many knowledgeable persons there that are very helpful.

[ZaxLofful]

Nope, I just run auto-updates everyday at midnight using a YUM CLI command.

I will work on bettering the documentation here to include all the available parameters, hopefully the PR gets approved.

[ubellavance]

That's a good idea, but I think that the only person with merge rights @edestecd haven't been seen here for a long, long while. I have submitted a PR in 2017 and it's still not merged. I think some people from voxpopuli and another group offered to take over the module but they got no answer.