On 24/06/13 18:34, Dennis Peterson wrote:
> On 6/23/13 6:28:23PM, Denis McMahon wrote:
>> On 23/06/13 23:10, Dennis Peterson wrote:
>>> One 'stupid' question and another test. Do you have any host table
>>> entries that can be confusing your resolver?
>>>
>>> Try running (via sudo or as root)
>>>
>>> strace -f freshclam >/tmp/freshclam.txt 2>&1
>>>
>>> then post the result on your web page - it will be quite long and will
>>> clutter the mail list.
>> http://www.sined.co.uk/tmp/freshclam.txt
>>
>>> You're not running any proxies so there should be no passwords in the
>>> output, but check anyway before posting it on the web. What to look for
>>> here are successful socket operations to external DNS servers. All
>>> indications are there will be none, but it will help to see what is
>>> going on in your stack.
>> As I said before, I have two machines on the LAN, one (with dhcp)
>> appears to update fine, the other with static ip doesn't. All the manual
>> tests I try from the system that doesn't update seem to suggest it
>> should be fine. DNS appears to resolve. I've just enabled apache reverse
>> dns lookups for logging on the problem system, and a quick test suggests
>> they're working. Here are the last few lines of the freshclam log from
>> the good machine:
>>
>>
> We're pretty well into the "Something we're sure of is wrong" territory,
> so nothing can be overlooked. I see no attempt in your strace dump to
> create a TCPIP socket, nor any attempt to resolve
> current.cvd.clamav.net. What was the result of examining your host
> table? How many instances of freshclam are running at the present time?
> What do you suppose is responsible for this:
>
> write(1, "ERROR: /var/log/clamav/freshclam"..., 66ERROR:
> /var/log/clamav/freshclam.log is locked by another process) = 66
>
> What do you see if you run this command?
>
> lsof |grep clam
I suspect that's a consequence of running freshclam on the command line
while freshclam is also running as a daemon.
> I'm still wondering what would have prevented your seeing something like
> this DNS query in your strace dump.
>
> uname({sys="Linux", node="example.com", ...}) = 0
> socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
> connect(4, {sa_family=AF_INET, sin_port=htons(53),
> sin_addr=inet_addr("xx.xxx.xxx.xx")}, 16) = 0
> poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
> sendto(4, "\1\335\1\0\0\1\0\0\0\0\0\0\7current\3cvd\6clamav\3"..., 40,
> MSG_NOSIGNAL, NULL, 0) = 40
> poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
> recvfrom(4, "\1\335\201\200\0\1\0\1\0\5\0\7\7current\3cvd\6clamav\3"...,
> 512, 0, {sa_family=AF_INET, sin_port=htons(53),
> sin_addr=inet_addr("xx.xxx.xxx.xx")}, [16]) = 320
> close(4) = 0
I think I see these (I'm no expert on interpreting the output) in this
trace:
http://www.sined.co.uk/tmp/fcbiglog.txt
This has verbose and debug flags to freshclam as well as being made
using strace ... (I hope that was a valid command) and was carried out
while the freshclam daemon was halted:
uname({sys="Linux", node="server.lan", ...}) = 0
stat64("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640,
st_size=251671, ...}) = 0
time(NULL) = 1372098561
write(3, "Mon Jun 24 19:29:21 2013 -> Quer"..., 60) = 60
write(1, "Querying current.cvd.clamav.net\n", 32Querying
current.cvd.clamav.net
) = 32
stat64("/etc/resolv.conf", {st_mode=S_IFREG|0777, st_size=69, ...}) = 0
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
gettimeofday({1372098561, 362090}, NULL) = 0
poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
send(4, "\375\325\1\0\0\1\0\0\0\0\0\0\7current\3cvd\6clamav\3"..., 40,
MSG_NOSIGNAL) = 40
poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLERR}])
close(4) = 0
stat64("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640,
st_size=251731, ...}) = 0
time(NULL) = 1372098561
The bit in the middle occurs 8 times.
$ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 24 Oct 9 2012 /etc/resolv.conf ->
/etc/network/nameservers
$ ls -l /etc/network/nameservers
-rwxrwxr-x 1 root root 75 Jun 24 19:54 /etc/network/nameservers
$ cat /etc/network/nameservers
nameserver 8.8.4.4
nameserver 8.8.8.8
nameserver 192.168.1.254
search lan
$
I'm guessing that the interesting data here is:
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
and
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
which, at a guess, I'd say meant that freshclam had been unable to open
/etc/resolv.conf to get a list of nameservers, was using localhost as a
nameserver, and was getting nothing back from localhost?
$ host current.cvd.clamav.net localhost
;; connection timed out; no servers could be reached
$ host current.cvd.clamav.net 127.0.0.1
;; connection timed out; no servers could be reached
$
Tends to confirm the latter ....
So I installed dnsproxy, that didn't seem to help.
Then looking in syslog I saw a lot of:
Jun 25 15:55:34 server kernel: [883159.006897] type=1400
audit(1372172134.934:1143): apparmor="DENIED" operation="open"
parent=25929 profile="/usr/bin/freshclam"
name="/etc/network/nameservers" pid=25930 comm="freshclam"
requested_mask="r" denied_mask="r" fsuid=107 ouid=0
So the issue is that apparmor is blocking freshclam?
After adding:
/etc/resolv.conf r,
/etc/network/nameservers r,
in:
/etc/apparmor.d/local/usr.bin.freshclam
freshclam updated fine!
Why dnsproxy didn't fix it I have no idea, but I'll remove it as I don't
seem to need it anyway.
Rgds
Denis McMahon
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
