Really confused on why this role is overwriting the systemd service file that the rpm distributes?

The proper way to customize systemd service files is with a unit file in /etc - one should never touch the file in /lib

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files#sect-Managing_Services_with_systemd-Unit_File_Create

When I installed on our t3a.small server it became unresponsive (high cpu / memory usage maybe?). After a while I was able to access the server again but the daemon failed.

[email protected]:~$ sudo journalctl -u clamav-daemon
-- Logs begin at Fri 2020-03-06 02:11:25 UTC, end at Thu 2021-02-04 21:52:48 UTC. --
Feb 04 21:07:21 influxdb0 systemd[1]: Starting Clam AntiVirus userspace daemon...
Feb 04 21:07:21 influxdb0 systemd[1]: Started Clam AntiVirus userspace daemon.
Feb 04 21:07:34 influxdb0 systemd[1]: Stopping Clam AntiVirus userspace daemon...
Feb 04 21:07:34 influxdb0 systemd[1]: Stopped Clam AntiVirus userspace daemon.
Feb 04 21:07:34 influxdb0 mkdir[8035]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists
Feb 04 21:07:34 influxdb0 systemd[1]: Starting Clam AntiVirus userspace daemon...
Feb 04 21:07:34 influxdb0 systemd[1]: Started Clam AntiVirus userspace daemon.
Feb 04 21:22:14 influxdb0 systemd[1]: clamav-daemon.service: Main process exited, code=killed, status=9/KILL
Feb 04 21:22:14 influxdb0 systemd[1]: clamav-daemon.service: Failed with result 'signal'.

[email protected]:~$ sudo cat /var/log/clamav/clamav.log 
Thu Feb  4 21:07:21 2021 -> +++ Started at Thu Feb  4 21:07:21 2021
Thu Feb  4 21:07:21 2021 -> Received 0 file descriptor(s) from systemd.
Thu Feb  4 21:07:21 2021 -> clamd daemon 0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Thu Feb  4 21:07:21 2021 -> Running as user clamav (UID 114, GID 119)
Thu Feb  4 21:07:21 2021 -> Log file size limited to 4294967295 bytes.
Thu Feb  4 21:07:21 2021 -> Reading databases from /var/lib/clamav
Thu Feb  4 21:07:21 2021 -> Not loading PUA signatures.
Thu Feb  4 21:07:21 2021 -> Bytecode: Security mode set to "TrustSigned".
Thu Feb  4 21:07:34 2021 -> +++ Started at Thu Feb  4 21:07:34 2021
Thu Feb  4 21:07:34 2021 -> Received 0 file descriptor(s) from systemd.
Thu Feb  4 21:07:34 2021 -> clamd daemon 0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Thu Feb  4 21:07:34 2021 -> Running as user clamav (UID 114, GID 119)
Thu Feb  4 21:07:34 2021 -> Log file size limited to 4294967295 bytes.
Thu Feb  4 21:07:34 2021 -> Reading databases from /var/lib/clamav
Thu Feb  4 21:07:34 2021 -> Not loading PUA signatures.
Thu Feb  4 21:07:34 2021 -> Bytecode: Security mode set to "TrustSigned".
Thu Feb  4 21:07:51 2021 -> Loaded 8681271 signatures.

I got this error when installing inside a local Vagrant box for testing.

Inside the VM, I noticed:

$ sudo lsof /var/log/clamav/freshclam.log                             
COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
freshclam 26230 clamav    3wW  REG  252,0      248 528916 /var/log/clamav/freshclam.log

So maybe don't automatically run freshclam if it's already running? Maybe we can default to not running it, then the user can choose to run it or not.

After installing ClamAV in one my EC2 servers (t2.micro) ClamAV will consume all EBS bust capacity and severely throttle my server.

Is it an idea we could add something to limit clamav resource consumption?

Example System Slice from https://www.scylladb.com/2019/09/25/isolating-workloads-with-systemd-slices/:

Description=Slice used to run companion programs to Scylla. Memory, CPU and IO restricted
Before=slices.target

[Slice]
MemoryAccounting=true
IOAccounting=true
CPUAccounting=true

CPUWeight=10
IOWeight=10

MemoryHigh=4%
MemoryLimit=5%
CPUShares=10
BlockIOWeight=10

amazon-ebs: failed: [default] (item=[u'clamav', u'clamav-update', u'clamav-scanner-systemd']) => {
amazon-ebs: "changed": false,
amazon-ebs: "invocation": {
amazon-ebs: "module_args": {
amazon-ebs: "allow_downgrade": false,
amazon-ebs: "bugfix": false,
amazon-ebs: "conf_file": null,
amazon-ebs: "disable_gpg_check": false,
amazon-ebs: "disable_plugin": [],
amazon-ebs: "disablerepo": null,
amazon-ebs: "enable_plugin": [],
amazon-ebs: "enablerepo": null,
amazon-ebs: "exclude": null,
amazon-ebs: "install_repoquery": true,
amazon-ebs: "installroot": "/",
amazon-ebs: "list": null,
amazon-ebs: "name": [
amazon-ebs: "clamav",
amazon-ebs: "clamav-update",
amazon-ebs: "clamav-scanner-systemd"
amazon-ebs: ],
amazon-ebs: "security": false,
amazon-ebs: "skip_broken": false,
amazon-ebs: "state": "latest",
amazon-ebs: "update_cache": false,
amazon-ebs: "update_only": false,
amazon-ebs: "validate_certs": true
amazon-ebs: }
amazon-ebs: },
amazon-ebs: "item": [
amazon-ebs: "clamav",
amazon-ebs: "clamav-update",
amazon-ebs: "clamav-scanner-systemd"
amazon-ebs: ],
amazon-ebs: "msg": "No package matching 'clamav' found available, installed or updated",
amazon-ebs: "rc": 126,
amazon-ebs: "results": [
amazon-ebs: "No package matching 'clamav' found available, installed or updated"
amazon-ebs: ]
amazon-ebs: }
amazon-ebs: to retry, use: --limit @/opt/mirs/mirs-ansible/base.retry
amazon-ebs:
amazon-ebs: PLAY RECAP *********************************************************************
amazon-ebs: default : ok=21 changed=12 unreachable=0 failed=1

So this happens, when it's not supposed to:

RUNNING HANDLER [geerlingguy.clamav : restart clamav daemon] ***********************************************************
changed: [127.0.0.1]

I am using your geerlingguy/docker-debian10-ansible in Dockerfile and when I run docker build, I am getting:

#10 132.2 TASK [geerlingguy.clamav : include_tasks] **************************************
#10 132.3 included: /tmp/provisioner/roles/geerlingguy.clamav/tasks/setup-vars.yml for localhost
#10 132.3 
#10 132.3 TASK [geerlingguy.clamav : Define clamav_daemon.] ******************************
#10 132.3 ok: [localhost]
#10 132.3 
#10 132.3 TASK [geerlingguy.clamav : Define clamav_freshclam_daemon.] ********************
#10 132.4 ok: [localhost]
#10 132.4 
#10 132.4 TASK [geerlingguy.clamav : Define clamav_packages.] ****************************
#10 132.4 ok: [localhost]
#10 132.4 
#10 132.4 TASK [geerlingguy.clamav : Ensure ClamAV packages are installed.] **************
#10 139.8 changed: [localhost] => (item=clamav)
#10 142.1 ok: [localhost] => (item=clamav-base)
#10 146.6 changed: [localhost] => (item=clamav-daemon)
#10 146.6 
#10 146.6 TASK [geerlingguy.clamav : Run freshclam after ClamAV packages change.] ********
#10 176.2 changed: [localhost]
#10 176.2 
#10 176.2 TASK [geerlingguy.clamav : include_tasks] **************************************
#10 176.2 skipping: [localhost]
#10 176.2 
#10 176.2 TASK [geerlingguy.clamav : Change configuration for the ClamAV daemon.] ********
#10 176.6 ok: [localhost] => (item={'regexp': '^.*Example$', 'state': 'absent'})
#10 176.8 ok: [localhost] => (item={'regexp': '^.*LocalSocket .*$', 'line': 'LocalSocket /var/run/clamav/clamd.ctl'})
#10 176.8 
#10 176.8 TASK [geerlingguy.clamav : Ensure ClamAV daemon is running (if configured).] ***
#10 177.4 fatal: [localhost]: FAILED! => {"changed": false, "msg": "Service is in unknown state", "status": {}}
#10 177.4 
#10 177.4 RUNNING HANDLER [geerlingguy.clamav : restart clamav daemon] *******************
#10 177.4 
#10 177.4 PLAY RECAP *********************************************************************
#10 177.4 localhost                  : ok=13   changed=6    unreachable=0    failed=1    skipped=1    rescued=0    ignored=0   
#10 177.4 

In the task "Change configuration for the ClamAV daemon" is it possible to add "notify: restart clamav daemon"
In fact, if the file scan.conf change the configuration is not reload

Thanks a lot

Fails at Ensure ClamAV daemon is running (if configured) under Centos 7 with SELinux active

sudo getsebool -a | grep antivirus

Returns:

antivirus_can_scan_system --> off antivirus_use_jit --> off

Running following

sudo setsebool -P antivirus_can_scan_system 1
sudo setsebool -P clamd_use_jit 1

Before trying again resolved the issue.

CentOS is complaining that the default /etc/clamd.d/scan.conf file is not parseable, and that's because the Example that comes preinstalled is still in the file. We should comment the Example line and uncomment LocalSocket by default. I need to see if this file is in a different path on Ubuntu, though.

I'm using this role in my playbooks and it's working nicely on CentOS 7. However, in my environment I need to set an HttpProxy in /etc/freshclam.conf. Would it be possible to add an extension point to allow this file to be configured in the same way that we can configure the clamav daemon?

Currently I have to do something like the following to get this to work, but it's pretty ugly

    - name: populate service facts
      service_facts:
    - name: Use clamav role to do most of setup
      include_role:
        name: geerlingguy.clamav
      vars:
        # Don't change the state of the clamav_daemon - this is done in a later task once freshclam has been configured and run
        clamav_daemon_state: "{{ 'started' if (ansible_facts.services['[email protected]'] is defined) and (ansible_facts.services['[email protected]'].state == 'running') else 'stopped' }}"
    - name: Configure proxy for freshclam
      lineinfile:
        path: /etc/freshclam.conf
        regex: "{{ item.regex }}"
        line: "{{ item.line }}"
      with_items:
        - { regex: '^#?Example', line: '#Example'}
        - { regex: '^#?HTTPProxyServer', line: 'HTTPProxyServer {{ http_proxy_host }}'}
        - { regex: '^#?HTTPProxyPort', line: 'HTTPProxyPort {{ http_proxy_port }}'}
      register: freshclam_config
    - name: Run freshclam after changing freshclam config.
      command: freshclam
      when: freshclam_config.changed
      notify: restart clamav daemon
    - name: Ensure clamav daemon is running
      service:
        name: clamd@scan
        state: started

Is there any chance that clamdscan will be added to this role?

Despite clamav-daemon is already provided and additional packages should be treated very carefully in a base role, I would promote to add clamdscan because of its enhanced performance. Let me know if you think that others will also benefit from it.

The image is being loaded from https://github.com/geerlingguy/ansible-role-clamav/workflows/CI/badge.svg?event=push

Which I imagine it will miss the currently broken schedule builds which shows the actual state of the repository at the moment (due to external changes I guess), which will requires changes to work again

Hello! I recently started testing out this role for ClamAV. So far I'm a fan as it's made the deployment as LOT easier.

I've noticed one thing during the creation / editing of the Configuration file when you use the "clamav_daemon_configuration_changes" variable.

I've noticed that Debian & RedHat flavors use different verbiage for their boolean value for some settings. Example:

Centos:

...
LogRotate yes
...

Ubuntu:

...
LogRotate true
...

If I set the variables for the role, I'll end up with consistent boolean attributes across both flavors.

---

- hosts: all
  tasks:
    - import_role:
        name: installed_clamav
      vars:
        clamav_daemon_configuration_changes:
          - regexp: '^.*LogRotate .*$'
            line: 'LocalSocket yes'

The vars set above will set this conf to "yes" for both flavors, even though debian flavors will require a "true" value.

I have been able to execute this within a playbook on RHEL 7, however, after approaching the "ensure ClamAV packages are installed" portion of the playbook it gives me errors stating that 'no package matching 'clamav' were found available.

If Cron is available, it would be nice to be able to run scans on a cron schedule. See: https://raymii.org/s/tutorials/ClamAV.html

Hi,

Because of the loop in main task that install the needed packages, clamav pull clam-data as dependency (at least on rhel8, surely more).
Using the supported list of packages syntax resolve the problem.
PR on its way.

Regards,
Clément