After disabling/enabling Clamd, container don't show up on /debug

ghost commented 6 months ago

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Hello,

For some time I tried disabling Clamd container on my Mailcow instances. I wanted to study the virtual memory usage and do some benchmarks.

Today, I enabled it again by modifying mailcow.conf, switching from SKIP_CLAMD=y to SKIP_CLAMD=n:

# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n

SKIP_CLAMD=n

The container seems to be running just fine:

60561c03d9b9   mailcow/clamd:1.63       "/sbin/tini -g -- /c…"   10 days ago   Up 4 minutes (healthy)   3310/tcp, 7357/tcp                                                                                                                                                                                                     mailcowdockerized-clamd-mailcow-1

However, it doesn't show up on the /debug web interface page:

Logs:

mailcowdockerized-clamd-mailcow-1  | SKIP_CLAMD=y, skipping ClamAV...
mailcowdockerized-clamd-mailcow-1  | SKIP_CLAMD=y, skipping ClamAV...

Steps to reproduce:

Disable Clamd
Enable Clamd
Witness Clamd container informations are gone from /debug web interface

Which branch are you using?

master

Operating System:

Debian 11

Server/VM specifications:

8GiB, 2 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

24.0.7

docker-compose version or docker compose version:

2.9.0

mailcow version:

2023-12a

Reverse proxy:

Not any

Logs of git diff:

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 1dce6a4c..7ef0f2a8 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -171,3 +171,36 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+
+# User Overrides
+myhostname = REDACTED
+
diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index b424efd8..ec884aa4 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -5,13 +5,14 @@
         PrivateDAndTViewer
     );

-    WOWorkersCount = "20";
+    WOWorkersCount = "5";
     SOGoACLsSendEMailNotifications = YES;
     SOGoAppointmentSendEMailNotifications = YES;
     SOGoDraftsFolderName = "Drafts";
     SOGoJunkFolderName= "Junk";
     SOGoMailDomain = "sogo.local";
     SOGoEnableEMailAlarms = YES;
+    SOGoMailHideInlineAttachments = YES;
     SOGoFoldersSendEMailNotifications = YES;
     SOGoForwardEnabled = YES;

@@ -60,6 +61,7 @@
     SOGoIMAPAclConformsToIMAPExt = Yes;
     SOGoPageTitle = "SOGo Groupware";
     SOGoFirstDayOfWeek = "1";
+    SOGoFirstWeekOfYear = "First4DayWeek";

     SOGoSieveFolderEncoding = "UTF-8";
     SOGoPasswordChangeEnabled = NO;
diff --git a/docker-compose.yml b/docker-compose.yml
index 2521e816..f43c9f1f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -601,36 +601,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5048 1691K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
 1538  210K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
58191   20M MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
58727   20M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
58727   20M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
51247   19M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2856  177K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 4624 1245K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 2606  164K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.2           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:8983
  147  7844 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.7           tcp dpt:443
   49  2548 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.7           tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
   13   780 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    3   172 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
   24  1440 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
   13   780 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    1    52 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 4624 1245K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
58727   20M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 4624 1245K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
58727   20M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   70  6942 DROP       all  --  *      *       194.169.175.10       0.0.0.0/0           
   80  7522 DROP       all  --  *      *       141.98.11.68         0.0.0.0/0           

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       170.64.163.73        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       159.223.41.28        0.0.0.0/0            reject-with icmp-port-unreachable
   12  1072 REJECT     all  --  *      *       1.14.110.180         0.0.0.0/0            reject-with icmp-port-unreachable
    1    60 REJECT     all  --  *      *       202.129.29.138       0.0.0.0/0            reject-with icmp-port-unreachable
    2   120 REJECT     all  --  *      *       157.245.49.201       0.0.0.0/0            reject-with icmp-port-unreachable
    2   120 REJECT     all  --  *      *       34.101.240.144       0.0.0.0/0            reject-with icmp-port-unreachable
    1    60 REJECT     all  --  *      *       43.133.56.252        0.0.0.0/0            reject-with icmp-port-unreachable
   12   648 REJECT     all  --  *      *       139.59.120.195       0.0.0.0/0            reject-with icmp-port-unreachable
   28  2088 REJECT     all  --  *      *       205.185.127.240      0.0.0.0/0            reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       137.184.38.234       0.0.0.0/0            reject-with icmp-port-unreachable
    6   360 REJECT     all  --  *      *       124.156.205.101      0.0.0.0/0            reject-with icmp-port-unreachable
    4   240 REJECT     all  --  *      *       182.44.26.149        0.0.0.0/0            reject-with icmp-port-unreachable
   17   948 REJECT     all  --  *      *       43.159.135.103       0.0.0.0/0            reject-with icmp-port-unreachable
    9   540 REJECT     all  --  *      *       68.183.132.72        0.0.0.0/0            reject-with icmp-port-unreachable
   10   600 REJECT     all  --  *      *       149.129.67.202       0.0.0.0/0            reject-with icmp-port-unreachable
 1412  202K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19509   27M MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
20922   27M DOCKER-USER  all      *      *       ::/0                 ::/0                
20922   27M DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0                
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0                
15394   24M ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 4217  291K DOCKER     all      *      br-mailcow  ::/0                 ::/0                
 1311 3505K ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0                
 4215  291K ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    80 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::8  tcp dpt:443
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::8  tcp dpt:80
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:4190
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:587
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:995
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:993
    1    80 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:25
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0                
 1311 3505K DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0                
20922   27M RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      docker0  ::/0                 ::/0                
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0                
 1311 3505K RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
20922   27M RETURN     all      *      *       ::/0                 ::/0                

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.

Logs of ip6tables -L -vn -t nat:

ip6tables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.

DNS check:

104.18.32.7
172.64.155.249

DerLinkman commented 6 months ago

Try restarting the complete stack

ghost commented 6 months ago

Hello @DerLinkman,

Thanks for your suggestion. I opened the bug report after restarting the server itself. As far as I know, all the stack is properly restarted as well at reboot, no?

DerLinkman commented 6 months ago

Hi!

Theoretically it should but with restart I mean down and up the stack.

I think this "issue" is produced by the docker api which is registering all containers on boot.

ghost commented 6 months ago

Okay, you were right. A simple sudo systemctl reboot isn't enough to restart the stack properly.

After doing the following:

$ cd /opt/mailcow-dockerized/
/opt/mailcow-dockerized$ sudo docker-compose down
[+] Running 19/19
 ⠿ Container mailcowdockerized-clamd-mailcow-1      Removed                                                                           0.3s
 ⠿ Container mailcowdockerized-olefy-mailcow-1      Removed                                                                          10.2s
 ⠿ Container mailcowdockerized-ofelia-mailcow-1     Removed                                                                           0.6s
 ⠿ Container mailcowdockerized-rspamd-mailcow-1     Removed                                                                           1.5s
 ⠿ Container mailcowdockerized-dockerapi-mailcow-1  Removed                                                                           1.4s
 ⠿ Container mailcowdockerized-netfilter-mailcow-1  Removed                                                                           1.2s
 ⠿ Container mailcowdockerized-solr-mailcow-1       Removed                                                                           1.2s
 ⠿ Container mailcowdockerized-memcached-mailcow-1  Removed                                                                           1.3s
 ⠿ Container mailcowdockerized-watchdog-mailcow-1   Removed                                                                           0.6s
 ⠿ Container mailcowdockerized-acme-mailcow-1       Removed                                                                           0.3s
 ⠿ Container mailcowdockerized-nginx-mailcow-1      Removed                                                                           0.9s
 ⠿ Container mailcowdockerized-postfix-mailcow-1    Removed                                                                           2.4s
 ⠿ Container mailcowdockerized-dovecot-mailcow-1    Removed                                                                           2.3s
 ⠿ Container mailcowdockerized-php-fpm-mailcow-1    Removed                                                                           0.3s
 ⠿ Container mailcowdockerized-sogo-mailcow-1       Removed                                                                          10.3s
 ⠿ Container mailcowdockerized-redis-mailcow-1      Removed                                                                           0.5s
 ⠿ Container mailcowdockerized-mysql-mailcow-1      Removed                                                                           0.6s
 ⠿ Container mailcowdockerized-unbound-mailcow-1    Removed                                                                           0.2s
 ⠿ Network mailcowdockerized_mailcow-network        Removed                                                                           0.2s
/opt/mailcow-dockerized$ sudo docker-compose up -d
[+] Running 19/19
 ⠿ Network mailcowdockerized_mailcow-network        Created                                                                           0.1s
 ⠿ Container mailcowdockerized-solr-mailcow-1       Started                                                                           1.7s
 ⠿ Container mailcowdockerized-memcached-mailcow-1  Started                                                                           2.2s
 ⠿ Container mailcowdockerized-unbound-mailcow-1    Healthy                                                                          31.7s
 ⠿ Container mailcowdockerized-dockerapi-mailcow-1  Started                                                                           2.1s
 ⠿ Container mailcowdockerized-redis-mailcow-1      Started                                                                           2.5s
 ⠿ Container mailcowdockerized-olefy-mailcow-1      Started                                                                           1.8s
 ⠿ Container mailcowdockerized-sogo-mailcow-1       Started                                                                           1.6s
 ⠿ Container mailcowdockerized-php-fpm-mailcow-1    Started                                                                           3.1s
 ⠿ Container mailcowdockerized-mysql-mailcow-1      Started                                                                           2.7s
 ⠿ Container mailcowdockerized-clamd-mailcow-1      Started                                                                          32.2s
 ⠿ Container mailcowdockerized-nginx-mailcow-1      Started                                                                           4.5s
 ⠿ Container mailcowdockerized-postfix-mailcow-1    Started                                                                          32.2s
 ⠿ Container mailcowdockerized-dovecot-mailcow-1    Started                                                                           4.6s
 ⠿ Container mailcowdockerized-acme-mailcow-1       Started                                                                          31.9s
 ⠿ Container mailcowdockerized-rspamd-mailcow-1     Started                                                                           5.8s
 ⠿ Container mailcowdockerized-netfilter-mailcow-1  Started                                                                          32.3s
 ⠿ Container mailcowdockerized-ofelia-mailcow-1     Started                                                                           5.6s
 ⠿ Container mailcowdockerized-watchdog-mailcow-1   Started                                                                          32.5s

It shows up as expected on the web interface:

Thanks a lot for your help! 🙏🏻

mailcow / mailcow-dockerized