[clamav-users] ClamAV 0.102.2 needs a "--without-systemd" option

Mon Apr 20 17:25:36 UTC 2020

Andrew,

Yeah, per your posting, I tried running 'configure' specifying
`--with-systemdsystemunitdir=no` and it seemed to be suppress the
systemd tie-in. (I didn't actually run 'make'.)

It would be nice if this were documented somewhere. The "--help" info
from 'configure' only lists 'DIR' as an argument. The latest reference
to 'systemd' in NEWS.md is for version 0.99.2 (and the other ".md"
files have nothing), and I couldn't find anything about this new
approach in the documentation or faqs on GitHub. (Google doesn't turn
up anything definitive either.)

In any case, the systemd tie-in is a *major* change: it turns ClamAV
from a mere package into a run-at-startup *service*, and needs to be
presented as such.  

-Paul

On Sun, 19 Apr 2020 15:17:51 -0400
Andrew Williams <awillia2 at sourcefire.com> wrote:

> Paul,
> 
> You should be able to use `--with-systemdsystemunitdir=no` to make it
> so that `make install` won't try to register clamd as a systemd
> service
> 
> -Andrew
> 
> On Sun, Apr 19, 2020 at 1:26 PM Paul Kosinski via clamav-users <
> clamav-users at lists.clamav.net> wrote:
> 
> > I finally built 0.102.2 a few days ago and was rather shocked that
> > it was tightly integrated into systemd. In a point release,
> > converting ClamAV into a mandatory server strikes me as weird,
> > especially since there is no "--without-systemd" option.
> >
> > I am not philosophically opposed to systemd (its partial ordering of
> > dependencies is actually quite elegant), but I have never used
> > ClamAV in conjunction with systemd (although I might consider it in
> > the future).
> >
> > Now for some details...
> >
> > The way I always have built ClamAV is to install each new version
> > in /opt under its version number. This allows me to try out the new
> > version without needing to shut down the running version. Then I
> > switch to the new version almost atomically by changing one symlink
> > (e.g., /opt/clamav -> /opt/clamav.0.102.2) and restarting clamd. So
> > if the new version has some problem, I can switch back (also almost
> > atomically).
> >
> > Luckily, my procedure was not totally wiped out by the systemd
> > issue due to the fact that (for extra security) I never run "make
> > install" as root. I always create the new ClamAV version directory
> > in /opt owned by the build user and install as that user (followed
> > by "chown -R 0.0" etc.). So the install failed without adding weird
> > stuff to my systemd environment.
> >
> > I then worked around the problem by studying the "configure"
> > options and found that there was an option
> > "--with-systemdsystemunitdir". So I pointed that to a harmless new
> > directory (/opt/clamav.0.102.2/systemd) and reran "configure",
> > "make", "make check" and "make install", which then all worked, and
> > showed me what the new systemd files contained.
> >
> > Thus I would strongly recommend adding a "--without-systemd" option
> > to the new "configure". If I hadn't employed my workaround, "make
> > install" (as root) would have added those 3 files to the standard
> > systemd environment. This have totally broken the way I support
> > multiple versions of ClamAV, as those files have *absolute* paths
> > to the new version of ClamAV no matter where installed.
> >
> > P.S. I run freshclam via cron and my own "getfreshclam" wrapper.
> > This allows me to keep older signature files around in case a new
> > version has a serious problem. (It was also quite useful in
> > investigating the multi-hour out-of-date problem with Cloudflare's
> > BOS mirror.)
> >
> > Finally, note that simply using systemd and thus freshclam's builtin
> > periodic update mechanism (instead of cron) wouldn't easily allow
> > keeping previous signature files around as backups.