Skip to content

[BUG] Clam AV is failing when running in kubernetes #2113

Closed
Closed
[BUG] Clam AV is failing when running in kubernetes#2113
Labels
meta/help wantedThe OP requests help from others - chime in! :Dmeta/needs triageThis issue / PR needs checks and verification from maintainersorchestrator/kubernetespriority/medium
@colindawson

Description

@colindawson
colindawson
opened on Aug 7, 2021

Bug Report

Clam AV is failing when running in kubernetes

Aug 7 20:40:12 mailserver-676694cbcb-9ln82 amavis[544]: (00544-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/tmp/amavis-20210807T204011-00544-Uzzrwj3z/parts: lstat() failed: Permission denied. ERROR\n"
Aug 7 20:40:12 mailserver-676694cbcb-9ln82 amavis[544]: (00544-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0xaaaadd3dab40) unexpected , output="/var/lib/amavis/tmp/amavis-20210807T204011-00544-Uzzrwj3z/parts: lstat() failed: Permission denied. ERROR\n" at (eval 98) line 951.
Aug 7 20:40:12 mailserver-676694cbcb-9ln82 amavis[544]: (00544-01) (!)WARN: all primary virus scanners failed, considering backups
Aug 7 20:40:25 mailserver-676694cbcb-9ln82 postfix/smtpd[1668]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]

Context

I have no volumes mounted for the clamAV folders, as I didn't see anything in the docker-hub info, in the documentation wiki or in any open issues.

What is affected by this bug?

it looks like ClamAV isn't working, although the email sources are reporting that they've been scanned!

When does this occur?

Every time an e-mail is received.

How do we replicate the issue?

  1. Start docker image mailserver/docker-mailserver:10.0.0
  2. Recieve an email.

Behavior

Actual Behavior

Aug 7 20:46:42 mailserver-676694cbcb-9ln82 postfix/smtpd[4874]: disconnect from mail-oi1-f178.google.com[209.85.167.178] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Aug 7 20:46:42 mailserver-676694cbcb-9ln82 amavis[543]: (00543-02) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/tmp/amavis-20210807T203421-00543-tG0afhAw/parts: lstat() failed: Permission denied. ERROR\n"
Aug 7 20:46:42 mailserver-676694cbcb-9ln82 amavis[543]: (00543-02) (!)ClamAV-clamd av-scanner FAILED: CODE(0xaaaadd3dab40) unexpected , output="/var/lib/amavis/tmp/amavis-20210807T203421-00543-tG0afhAw/parts: lstat() failed: Permission denied. ERROR\n" at (eval 98) line 951.
Aug 7 20:46:42 mailserver-676694cbcb-9ln82 amavis[543]: (00543-02) (!)WARN: all primary virus scanners failed, considering backups

Expected Behavior

There should not be a permission error.

Your Environment

  • version: 10.0.0

  • available RAM: 8GB

  • Ubuntu 20.04.2 LTS

  • docker://20.10.7

  • v1.21.3

Environment Variables

kind: ConfigMap
apiVersion: v1
metadata:
  name: mailserver.env.config
  namespace: mailserver
  labels:
    app: mailserver
data:
  POSTFIX_MESSAGE_SIZE_LIMIT: "100000000"
  OVERRIDE_HOSTNAME: <guess why I've changed this>
  ENABLE_FETCHMAIL: "0"
  FETCHMAIL_POLL: "120"
  ENABLE_SPAMASSASSIN: "1"
  SPAMASSASSIN_SPAM_TO_INBOX: "1"
  SA_SPAM_SUBJECT: "undef"
  MOVE_SPAM_TO_JUNK: "1"
  SA_TAG: "-100000.0"
  SA_TAG2: "4"
  SA_KILL: "100000.0"
  ENABLE_AMAVIS: "1"
  AMAVIS_LOGLEVEL: "0"
  ENABLE_CLAMAV: "1"
  ENABLE_FAIL2BAN: "1"
  ENABLE_POSTGREY: "1"
  ONE_DIR: "1"
  DMS_DEBUG: "0"
  SSL_TYPE: "manual"
  SSL_CERT_PATH: "/etc/ssl/mailserver/tls.crt"
  SSL_KEY_PATH: "/etc/ssl/mailserver/tls.key"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mailserver
  namespace: mailserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mailserver
  template:
    metadata:
      labels:
        app: mailserver
        role: mail
        tier: backend
    spec:
      #nodeSelector:
      #  kubernetes.io/hostname: local.k8s
      #initContainers:
      #- name: init-myservice
      #  image: busybox
      #  command: ["/bin/sh", "-c", "cp /tmp/user-patches.sh /tmp/files"]
      #  volumeMounts:
      #    - name: config
      #      subPath: user-patches.sh
      #      mountPath: /tmp/user-patches.sh
      #      readOnly: true
      #    - name: tmp-files
      #      mountPath: /tmp/files
      containers:
      - name: docker-mailserver
        image: mailserver/docker-mailserver:10.0.0
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: false
          runAsUser: 0
          runAsGroup: 0
          runAsNonRoot: false
          privileged: false
          capabilities:
            add:
              # file permission capabilities
              - CHOWN
              - FOWNER
              - MKNOD
              - SETGID
              - SETUID
              - DAC_OVERRIDE
              # miscellaneous  capabilities
              - SYS_CHROOT
              - NET_BIND_SERVICE
              - KILL
              - NET_ADMIN
            drop: [ALL]
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
          - name: postfix-accounts
            mountPath: /tmp/docker-mailserver/postfix-accounts.cf
            readOnly: true
          - name: config
            subPath: postfix-main.cf
            mountPath: /tmp/docker-mailserver/postfix-main.cf
            readOnly: true
          - name: config
            subPath: postfix-virtual.cf
            mountPath: /tmp/docker-mailserver/postfix-virtual.cf
            readOnly: true
          - name: config
            subPath: fetchmail.cf
            mountPath: /tmp/docker-mailserver/fetchmail.cf
            readOnly: true
          - name: config
            subPath: dovecot.cf
            mountPath: /tmp/docker-mailserver/dovecot.cf
            readOnly: true
          - name: opendkim
            mountPath: /tmp/docker-mailserver/opendkim
            readOnly: true
          - name: data
            mountPath: /var/mail
            subPath: data
          - name: data
            mountPath: /var/mail-state
            subPath: state
          - name: data
            mountPath: /var/log/mail
            subPath: log
          - name: tls
            mountPath: /etc/ssl/mailserver
            readOnly: true
        ports:
          - name: smtp
            containerPort: 25
            protocol: TCP
          - name: smtp-secure
            containerPort: 465
            protocol: TCP
          - name: smtp-auth
            containerPort: 587
          - name: imap
            containerPort: 143
            protocol: TCP
          - name: imap-secure
            containerPort: 993
            protocol: TCP
        envFrom:
          - configMapRef:
              name: mailserver.env.config
      volumes:
        - name: config
          configMap:
            name: mailserver.config
        - name: postfix-accounts
          hostPath:
             path: /mnt/k8s/yaml/mailserver/config/postfix-accounts.cf
             type: File
        - name: opendkim
          hostPath:
            path: /mnt/k8s/yaml/mailserver/config/opendkim
            type: Directory
        - name: data
          persistentVolumeClaim:
            claimName: mailserver-pvc
        - name: tmp-files
          emptyDir: {}
        - name: tls
          secret:
            secretName: <redacted this, can you guess why?>

Relevant Stack Traces

# BEGIN

# END

Metadata

Metadata

Assignees

No one assigned

    Labels

    meta/help wantedThe OP requests help from others - chime in! :Dmeta/needs triageThis issue / PR needs checks and verification from maintainersorchestrator/kubernetespriority/medium

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions