Clamd@amavisd Fails Under Systemd

Home » CentOS » Clamd@amavisd Fails Under Systemd
CentOS 7 Comments

Trying to set up a mail server under CentOS7 – having done this with CentOS5 and CentOS6 over the last decade with no issues and reliable service, it was time to upgrade (?) to CentOS7. Shouldn’t be a problem, right?

Getting to grips with systemd has been challenging – to say the least.

So a brief overview of what I am trying to set up:

postfix / amavisd-new / spamassassin / clamav so we can receive mail and deal with the major rubbish that gets thrown at any open port 25 SMTP
service.

no problems installing each of the above and their configuration files. Just as an aside, there are many recipes for this combo of packages –
none of which work as advertised. There was a time when one could safely follow a how-to guide and have things working – I have regularly used the CentOS wiki guides – however they have become stale and what worked fine for 5 & 6 DO NOT WORK for CentOS7 – mainly due to systemd and firewalld

So we have:

systemctl status postfix.service
● postfix.service – Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled;
vendor preset: disabled)
Active: active (running) since Wed 2016-10-26 18:13:25 EDT; 1 weeks
5 days ago
Main PID: 2762 (master)
CGroup: /system.slice/postfix.service
├─ 2762 /usr/libexec/postfix/master -w
├─ 2782 qmgr -l -t unix -u
└─25274 pickup -l -t unix -u

systemctl status spamassassin.service
● spamassassin.service – Spamassassin daemon
Loaded: loaded (/usr/lib/systemd/system/spamassassin.service;
enabled; vendor preset: disabled)
Active: active (running) since Tue 2016-11-08 05:18:04 EST; 50min ago
Process: 27412 ExecStart=/usr/bin/spamd –pidfile /var/run/spamd.pid
$SPAMDOPTIONS (code=exited, status=0/SUCCESS)
Process: 27410 ExecStartPre=/sbin/portrelease spamd (code=exited, status=0/SUCCESS)
Main PID: 27417 (/usr/bin/spamd )
CGroup: /system.slice/spamassassin.service
├─27417 /usr/bin/spamd –pidfile /var/run/spamd.pid -d -c -m5 -H
├─27418 spamd child
└─27419 spamd child

systemctl status amavisd.service
● amavisd.service – Amavisd-new is an interface between MTA and content checkers.
Loaded: loaded (/usr/lib/systemd/system/amavisd.service; enabled;
vendor preset: disabled)
Active: active (running) since Tue 2016-11-08 05:18:05 EST; 50min ago
Docs: http://www.ijs.si/software/amavisd/#doc
Process: 27426 ExecStart=/usr/sbin/amavisd -c
/etc/amavisd/amavisd.conf (code=exited, status=0/SUCCESS)
Main PID: 27427 (/usr/sbin/amavi)
CGroup: /system.slice/amavisd.service
├─27427 /usr/sbin/amavisd (master)
├─27479 /usr/sbin/amavisd (ch1-avail)
└─27480 /usr/sbin/amavisd (ch1-avail)

but for the life of me, I cannot get clamd@amavisd to stay up.

It always comes up and then dies after about 1 second :

systemctl status clamd@amavisd.service
● clamd@amavisd.service – clamd scanner (amavisd) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled;
vendor preset: disabled)
Active: inactive (dead) since Tue 2016-11-08 05:18:13 EST; 34min ago
Process: 27421 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf
(code=exited, status=0/SUCCESS)
Main PID: 27421 (code=exited, status=0/SUCCESS)

Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: OLE2 support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: PDF support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: SWF support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: HTML support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: XMLDOCS support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: HWP3 support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: Self checking every 600
seconds. Nov 08 05:18:13 media.xxxx.xxx clamd[27481]: Pid file removed. Nov 08 05:18:13 media.xxxx.xxx clamd[27481]: — Stopped at Tue Nov 8
05:18:13 2016
Nov 08 05:18:13 media.xxxx.xxx clamd[27481]: Socket file removed.

I can run the clamd service manually just fine and everything works – i.e.

/usr/sbin/clamd -c /etc/clamd.d/amavisd.conf –nofork=yes

returns a functioning service – thus my config files must be okay

but try it with systemd and you hit a brick wall – nothing in any logs to give me a clue why it comes up and then closes down

After many days of google chasing, I have found a number of folk hitting the same issue, yet none of these have posted anything resembling a solution, most have had other issues that were in error.

If there is anyone that has this combo of services working under CentOS7
and can shed any insight on why I cannot get this service to actually run, it would be very much appreciated.

TIA
Rob

7 thoughts on - Clamd@amavisd Fails Under Systemd

  • When setting up a clamd service, you should need to enable the service, create the configuration file, and typically set up
    /etc/tmpfiles.d/clamd-.conf. That file should have one line:

    d /run/clamd. 0700 daemon daemon –

    …or whatever user you use for clamd. If you don’t have the proper tmpfiles setup, the run directory won’t exist or won’t have the correct owner, and either standard permissions or SELinux may deny the process access to the run directory.

  • so I have /etc/tmpfiles.d/clamd.amavisd.conf with content d /var/run/clamd.amavisd 0755 amavis amavis –

    the process owner name and group name are amavis this is not quite what you specified – which should it be?

    My real head scratch problem is that running clamd from a cli works perfectly. Trying to get systemd (via systemctl start clamd@amavisd.service) brings it up but after 1 second removes the pid file and shuts down. set up clamd via the service file to use –debug and get nothing helpful Trying to debug this systemd stuff seems impossible

    Thanks Rob

  • If “User” is set to amavis in the clamd configuration, that looks fine.

    systemd starts processes in the correct SELinux context, while running it from the shell does not. So my first guess would be that it’s an SELinux issue. Use “setenforce” to put the system in permissive mode to see if that’s the case. If so, “grep AVC /var/log/audit/audit.log” for more info.

  • Tried this – set it to permissive and tried the systemctl start clamd@amavisd.service and got exactly the same result – tried a number of times – no messages in the logs to indicate a problem – just after the final start up message of :-
    >Self checking every 600 seconds. after one second we get
    >Pid file removed.
    >Stopped at Fri Nov 11 04:35:49 2016
    >Socket file removed.

    So not selinux. Thanks for the idea – I was unaware that systemd is selinux aware and friendly. I’ll keep looking …..

  • Another random thought When I invoke from the CLI – there is a -nofork=yes as a part of the invocation. When systemd tries to do the invocation via the ExecStart line – the original clamd@.service file had this –nofork=yes also, the problem was that this just caused an abend of the start up with the message:
    > /usr/sbin/clamd: unrecognized option `–nofork=yes’
    > ERROR: Unknown option passed
    > ERROR: Can’t parse command line options and a look at the clamd man shows no such parameter – thus I removed it. I wonder if this is the issue? Not sure what I can or how I can test. Will keep playing

  • Not on my system, it doesn’t:

    $ grep Exec /usr/lib/systemd/system/clamd@.service ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf –foreground=yes
    $ rpm -qf /usr/lib/systemd/system/clamd@.service clamav-server-systemd-0.99.2-1.el7.noarch

    Yeah, it might be worth removing the package and reinstalling it. You shouldn’t need to modify the provided systemd service file.