有沒有辦法知道為什麼重新啟動服務以及是誰做的?
- Ubuntu 14.04
- 克拉瑪夫 0.98.7
該問題
clamav-daemon
幾乎每天都會重新啟動:Sep 1 06:30:00 x-master clamd[6778]: Pid file removed. clamd[6778]: --- Stopped at Tue Sep 1 06:30:00 2015 clamd[5979]: clamd daemon 0.98.7 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) clamd[5979]: Running as user root (UID 0, GID 0) clamd[5979]: Log file size limited to 4294967295 bytes. clamd[5979]: Reading databases from /var/lib/clamav clamd[5979]: Not loading PUA signatures. clamd[5979]: Bytecode: Security mode set to "TrustSigned".
如果
clamdscan
正在執行,則會導致問題:/etc/cron.daily/clamav_scan: ERROR: Could not connect to clamd on x.x.x.x: Connection refused
請注意,我在開頭說“幾乎”:
/var/log/syslog:Sep 1 06:30:00 x-master clamd[6778]: Pid file removed. /var/log/syslog.1:Aug 31 06:27:54 x-master clamd[20128]: Pid file removed. /var/log/syslog.4.gz:Aug 28 06:28:34 x-master clamd[4475]: Pid file removed. /var/log/syslog.5.gz:Aug 27 06:27:47 x-master clamd[21466]: Pid file removed.
如你看到的:
- 它沒有發生在 8 月 29 日和 30 日
- 它經常在 06:27 左右重新啟動,這
cron.daily
是執行時間27 6 * * * root nice -n 19 ionice -c3 run-parts --report /etc/cron.daily
的內容
/etc/cron.daily/clamav_scan
:find / $exclude_string ! \( -path "/tmp/clamav-*.tmp" -prune \) ! \( -path "/var/lib/elasticsearch" -prune \) ! \( -path "/var/lib/mongodb" -prune \) ! \( -path "/var/lib/graylog-server" -prune \) -mtime -1 -type f -print0 | xargs -0 clamdscan --quiet -l "$status_file" || retval=$?
clamav-daemon 有一個 logrotate 文件:
/var/log/clamav/clamav.log { rotate 12 weekly compress delaycompress create 640 clamav adm postrotate /etc/init.d/clamav-daemon reload-log > /dev/null endscript }
但它只是重新載入日誌:
Sep 1 02:30:24 uba-master clamd[6778]: SIGHUP caught: re-opening log file.
我知道我們可以
auditd
用來監控二進製文件,這是一個範例日誌:ausearch -f /usr/sbin/clamd [2/178] ---- time->Tue Sep 1 07:56:44 2015 type=PATH msg=audit(1441094204.559:15): item=1 name=(null) inode=2756458 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1441094204.559:15): item=0 name="/usr/sbin/clamd" inode=3428628 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1441094204.559:15): cwd="/" type=EXECVE msg=audit(1441094204.559:15): argc=1 a0="/usr/sbin/clamd" type=SYSCALL msg=audit(1441094204.559:15): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd277e03dc a1=7ffd277dfa78 a2=7ffd277dfa88 a3=7ffd277df570 items=2 ppid=5708 pid=5946 auid=4294967295 uid=109 gid=114 euid=109 suid=109 fsuid=109 egid=114 sgid=114 fsgid=114 tty=pts1 ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key=(null)
109 是…
clamav
使用者的 UID:getent passwd clamav clamav:x:109:114::/var/lib/clamav:/bin/false
在這種情況下是否有另一種解決方法?
回复@HBrijn:
更新 AV 定義後可能是新鮮蛤蜊?
我想過這個問題。這是日誌:
Sep 1 05:31:04 x-master freshclam[16197]: Received signal: wake up Sep 1 05:31:04 x-master freshclam[16197]: ClamAV update process started at Tue Sep 1 05:31:04 2015 Sep 1 05:31:04 x-master freshclam[16197]: main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Sep 1 05:31:05 x-master freshclam[16197]: Downloading daily-20865.cdiff [100%] Sep 1 05:31:09 x-master freshclam[16197]: daily.cld updated (version: 20865, sigs: 1555338, f-level: 63, builder: neo) Sep 1 05:31:10 x-master freshclam[16197]: bytecode.cvd is up to date (version: 268, sigs: 47, f-level: 63, builder: anvilleg) Sep 1 05:31:13 x-master freshclam[16197]: Database updated (3979610 signatures) from db.local.clamav.net (IP: 168.143.19.95) Sep 1 05:31:13 x-master freshclam[16197]: Clamd successfully notified about the update. Sep 1 05:31:13 x-master freshclam[16197]: -------------------------------------- Sep 1 04:34:10 x-master clamd[6778]: SelfCheck: Database status OK. Sep 1 05:31:13 x-master clamd[6778]: Reading databases from /var/lib/clamav Sep 1 05:31:22 x-master clamd[6778]: Database correctly reloaded (3974071 signatures)
我不確定這一點,但看起來freshclam 有一個“內部機制”來通知clamd 更新。之後它可以重新載入數據庫,無需重新啟動程序。你確定嗎?
此外,從時間戳中,我看到在freshclam 更新數據庫一小時後clamav-daemon 重新啟動。正常嗎?
更新 9 月 1 日星期二 22:10:49 ICT 2015
但看起來freshclam有一個“內部機制”來通知clamd有關更新。之後它可以重新載入數據庫,無需重新啟動程序。
我可以通過測試來確認這是正確的:
- 編輯freshclam.conf 文件以將時間間隔更改為一分鐘(
Checks 1440
)- 重啟clamav-freshclam
- cd /var/lib/clamav
- rm daily.cvd
- 等一分鐘
Sep 1 14:49:25 p freshclam[7654]: Downloading daily.cvd [100%] Sep 1 14:49:28 p freshclam[7654]: daily.cvd updated (version: 19487, sigs: 1191913, f-level: 63, builder: neo) Sep 1 14:49:28 p freshclam[7654]: Reading CVD header (bytecode.cvd): Sep 1 14:49:28 p freshclam[7654]: OK Sep 1 14:49:28 p freshclam[7654]: bytecode.cvd is up to date (version: 245, sigs: 43, f-level: 63, builder: dgoddard) Sep 1 14:49:31 p freshclam[7654]: Database updated (3616181 signatures) from clamav.local (IP: 10.0.2.2) Sep 1 14:49:31 p freshclam[7654]: Clamd successfully notified about the update. Sep 1 14:49:31 p freshclam[7654]: -------------------------------------- Sep 1 14:49:32 p clamd[6693]: Reading databases from /var/lib/clamav Sep 1 14:49:39 p clamd[6693]: Database correctly reloaded (3610621 signatures)
並且 clamav-daemon 沒有重新啟動。
請檢查您是否正在使用任何配置管理系統,例如 Puppet、Chef、CFEngine 等。它們可能會定期干擾服務。為糾正此問題而採取的具體行動取決於該服務在配置管理系統中的使用方式。
自己注意。
作業記憶體的輸出:
---------- ID: clamav-daemon Function: service.running Result: True Comment: Service restarted Started: 06:27:52.736890 Duration: 12997.632 ms Changes: ---------- clamav-daemon: True
看clamav公式:
clamav-daemon: service: - running - order: 50 - require: - service: clamav-freshclam - watch: - pkg: clamav-daemon - file: clamav-daemon - user: clamav
watch
ed 狀態中的任何內容都沒有改變:---------- ID: clamav-daemon Function: pkg.latest Result: True Comment: Package clamav-daemon is already up-to-date. Started: 06:27:51.531415 Duration: 53.224 ms Changes: ---------- ID: clamav-daemon Function: file.managed Name: /etc/clamav/clamd.conf Result: True Comment: File /etc/clamav/clamd.conf is in the correct state Started: 06:27:51.760019 Duration: 625.075 ms Changes: ---------- ID: clamav Function: user.present Result: True Comment: User clamav is present and up to date Started: 06:27:51.590214 Duration: 2.455 ms Changes:
為什麼服務已重新啟動?
尋找
watch_in
,我發現管理 pid 文件的狀態,如果 pid 文件發生更改,服務將重新啟動:{%- macro manage_pid(path, user, group, watch_in_service, mode=644) -%} {%- if salt['file.file_exists'](path) %} {{ path }}: file: - managed - user: {{ user }} - group: {{ group }} - mode: {{ mode }} - replace: False {%- if caller is defined -%} {%- for line in caller().split("\n") -%} {%- if loop.first %} - require: {%- endif %} {{ line|trim|indent(6, indentfirst=True) }} {%- endfor -%} {%- endif %} - watch_in: - service: {{ watch_in_service }} {%- else %} # {{ path }} does not exist, no need to manage {%- endif -%} {%- endmacro -%} {%- call manage_pid('/var/run/clamav/clamd.pid', 'clamav', 'clamav', 'clamav-daemon', 664) %} - pkg: clamav-daemon {%- endcall %}
在 的輸出中
salt-run jobs.lookup_jid <job id number>
,我看到了這個:---------- ID: /var/run/clamav/clamd.pid Function: file.managed Result: True Comment: Started: 06:27:52.392555 Duration: 2.364 ms Changes: ---------- group: clamav user: clamav
因此,該 pid 文件的所有者/組已更改為
clamav
. 最後,我發現原因是 clamav 守護程序是以root
使用者身份在網路模式下執行的。因此,pid 文件被創建為root
. 因此,管理 pid 文件的狀態必須更改為:{%- call manage_pid('/var/run/clamav/clamd.pid', 'root', 'root', 'clamav-daemon', 664) %} - pkg: clamav-daemon {%- endcall %}