* [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled
@ 2026-06-09 10:07 Stoiko Ivanov
2026-06-09 10:07 ` [PATCH pmg-api 1/2] d/postinst: ensure that " Stoiko Ivanov
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2026-06-09 10:07 UTC (permalink / raw)
To: pmg-devel
debian upstream's clamav packaging had some changes recently as to which
services are enabled by default.
This seems somewhat in active flux currently - so for the time being
enable the 2 services PMG needs unconditionally.
issue was initially:
Reported-by: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
and reproduced by a few colleagues.
Thank you all!
pmg-api:
Stoiko Ivanov (1):
d/postinst: ensure that clamav-daemon is enabled
debian/postinst | 5 +++++
1 file changed, 5 insertions(+)
pve-installer:
Stoiko Ivanov (1):
pmg: ensure clamav-daemon is enabled
Proxmox/Install.pm | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
Summary over all repositories:
2 files changed, 12 insertions(+), 2 deletions(-)
--
Generated by murpp 0.12.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH pmg-api 1/2] d/postinst: ensure that clamav-daemon is enabled
2026-06-09 10:07 [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled Stoiko Ivanov
@ 2026-06-09 10:07 ` Stoiko Ivanov
2026-06-09 10:07 ` [PATCH installer 2/2] pmg: ensure " Stoiko Ivanov
2026-06-09 10:49 ` [PATCH pve-installer/pmg-api 0/2] " Thomas Lamprecht
2 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2026-06-09 10:07 UTC (permalink / raw)
To: pmg-devel
Similar to:
cb8e149 ("d/postinst: ensure that clamav-freshclam is enabled")
We recently packaged the version currently in debian testing, which
explicitly installs clamav-daemon, without enabling it,
while debian-upstream's experimental branch does enable it.
As there is quite a bit of back and forth - simply enable the service
unconditionally.
We might look into making it possible to keep clamav disabled (e.g. if
users are relying on avast only, or have a custom_check_script which
handles virus checking) - but that can be done independently.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
debian/postinst | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/debian/postinst b/debian/postinst
index c7e05e7..ee218ab 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -145,6 +145,11 @@ case "$1" in
deb-systemd-invoke enable clamav-freshclam.service >/dev/null 2>&1 || true
fi
+ if ! systemctl --quiet is-enabled clamav-daemon.service ; then
+ echo "Enabling clamav-daemon as antivirus"
+ deb-systemd-invoke enable clamav-daemon.service >/dev/null 2>&1 || true
+ fi
+
if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.2.0'; then
old_score_location=/var/cache/pmg-scores.cf
new_score_location=/etc/mail/spamassassin/pmg-scores.cf.new
--
2.47.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH installer 2/2] pmg: ensure clamav-daemon is enabled
2026-06-09 10:07 [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled Stoiko Ivanov
2026-06-09 10:07 ` [PATCH pmg-api 1/2] d/postinst: ensure that " Stoiko Ivanov
@ 2026-06-09 10:07 ` Stoiko Ivanov
2026-06-09 10:18 ` Christoph Heiss
2026-06-09 10:49 ` [PATCH pve-installer/pmg-api 0/2] " Thomas Lamprecht
2 siblings, 1 reply; 8+ messages in thread
From: Stoiko Ivanov @ 2026-06-09 10:07 UTC (permalink / raw)
To: pmg-devel
the version currently in debian testing (and backported by us)
installs the service without enabling it, the tag named
`debian-1.4.4` otoh enables it.
with the back and forth unconditionally enabling it in our installer
seems like a robust measure.
follows commit:
72480b2 ("pmg: ensure clamav-freshclam is enabled")
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
Proxmox/Install.pm | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index 8fd51a9..1740d13 100644
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -1438,13 +1438,18 @@ _EOD
"$targetdir/etc/systemd/system/multi-user.target.wants/clamav-clamonacc.service"
or $!{ENOENT}
or warn "failed to disable clamav-clamonacc.service - $!\n";
- # clamav-freshclam is not enabled automatically anymore in recent versions - so ensure
- # it will start - see https://salsa.debian.org/clamav-team/clamav/-/merge_requests/7
+ # clamav daemons are not enabled automatically anymore in recent versions and the
+ # upstream maintainers do change that part comparatively often - so just ensure
+ # that the services are enabled here
syscmd(
"ln -sf /lib/systemd/system/clamav-freshclam.service $targetdir/etc/systemd/system/multi-user.target.wants/clamav-freshclam.service"
) == 0
|| warn "failed to enable clamav-freshclam.service - $!\n";
+ syscmd(
+ "ln -sf /lib/systemd/system/clamav-freshclam.service $targetdir/etc/systemd/system/multi-user.target.wants/clamav-freshclam.service"
+ ) == 0
+ || warn "failed to enable clamav-freshclam.service - $!\n";
}
if ($iso_env->{product} eq 'pve') {
--
2.47.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH installer 2/2] pmg: ensure clamav-daemon is enabled
2026-06-09 10:07 ` [PATCH installer 2/2] pmg: ensure " Stoiko Ivanov
@ 2026-06-09 10:18 ` Christoph Heiss
0 siblings, 0 replies; 8+ messages in thread
From: Christoph Heiss @ 2026-06-09 10:18 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: pmg-devel
On Tue Jun 9, 2026 at 12:07 PM CEST, Stoiko Ivanov wrote:
> the version currently in debian testing (and backported by us)
> installs the service without enabling it, the tag named
> `debian-1.4.4` otoh enables it.
> with the back and forth unconditionally enabling it in our installer
> seems like a robust measure.
>
> follows commit:
> 72480b2 ("pmg: ensure clamav-freshclam is enabled")
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> Proxmox/Install.pm | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
> index 8fd51a9..1740d13 100644
> --- a/Proxmox/Install.pm
> +++ b/Proxmox/Install.pm
> @@ -1438,13 +1438,18 @@ _EOD
> "$targetdir/etc/systemd/system/multi-user.target.wants/clamav-clamonacc.service"
> or $!{ENOENT}
> or warn "failed to disable clamav-clamonacc.service - $!\n";
> - # clamav-freshclam is not enabled automatically anymore in recent versions - so ensure
> - # it will start - see https://salsa.debian.org/clamav-team/clamav/-/merge_requests/7
> + # clamav daemons are not enabled automatically anymore in recent versions and the
> + # upstream maintainers do change that part comparatively often - so just ensure
> + # that the services are enabled here
> syscmd(
> "ln -sf /lib/systemd/system/clamav-freshclam.service $targetdir/etc/systemd/system/multi-user.target.wants/clamav-freshclam.service"
> ) == 0
> || warn "failed to enable clamav-freshclam.service - $!\n";
>
> + syscmd(
> + "ln -sf /lib/systemd/system/clamav-freshclam.service $targetdir/etc/systemd/system/multi-user.target.wants/clamav-freshclam.service"
> + ) == 0
> + || warn "failed to enable clamav-freshclam.service - $!\n";
>From a very quick glance, I supposed it's supposed be
s/freshclam/daemon/g in this hunk?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled
2026-06-09 10:07 [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled Stoiko Ivanov
2026-06-09 10:07 ` [PATCH pmg-api 1/2] d/postinst: ensure that " Stoiko Ivanov
2026-06-09 10:07 ` [PATCH installer 2/2] pmg: ensure " Stoiko Ivanov
@ 2026-06-09 10:49 ` Thomas Lamprecht
2026-06-09 10:53 ` Thomas Lamprecht
2026-06-09 11:09 ` Stoiko Ivanov
2 siblings, 2 replies; 8+ messages in thread
From: Thomas Lamprecht @ 2026-06-09 10:49 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
On 09/06/2026 12:07, Stoiko Ivanov wrote:
> debian upstream's clamav packaging had some changes recently as to which
> services are enabled by default.
> This seems somewhat in active flux currently - so for the time being
> enable the 2 services PMG needs unconditionally.
Doesn't catches the on-top of plain Debian installation though? Why not
address this in our clamav packages?
Auto-enabling services from other packages in the postinst on every update
seems also rather ugly.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled
2026-06-09 10:49 ` [PATCH pve-installer/pmg-api 0/2] " Thomas Lamprecht
@ 2026-06-09 10:53 ` Thomas Lamprecht
2026-06-09 11:09 ` Stoiko Ivanov
1 sibling, 0 replies; 8+ messages in thread
From: Thomas Lamprecht @ 2026-06-09 10:53 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
On 09/06/2026 12:49, Thomas Lamprecht wrote:
> On 09/06/2026 12:07, Stoiko Ivanov wrote:
>> debian upstream's clamav packaging had some changes recently as to which
>> services are enabled by default.
>> This seems somewhat in active flux currently - so for the time being
>> enable the 2 services PMG needs unconditionally.
>
> Doesn't catches the on-top of plain Debian installation though? Why not
> address this in our clamav packages?
>
> Auto-enabling services from other packages in the postinst on every update
> seems also rather ugly.
>
ok, a pre-existing pattern, fine for now then, but still ugly and should
be cleaned up someday.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled
2026-06-09 10:49 ` [PATCH pve-installer/pmg-api 0/2] " Thomas Lamprecht
2026-06-09 10:53 ` Thomas Lamprecht
@ 2026-06-09 11:09 ` Stoiko Ivanov
2026-06-09 11:15 ` Thomas Lamprecht
1 sibling, 1 reply; 8+ messages in thread
From: Stoiko Ivanov @ 2026-06-09 11:09 UTC (permalink / raw)
To: Thomas Lamprecht; +Cc: pmg-devel
On Tue, 9 Jun 2026 12:49:20 +0200
Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> On 09/06/2026 12:07, Stoiko Ivanov wrote:
> > debian upstream's clamav packaging had some changes recently as to which
> > services are enabled by default.
> > This seems somewhat in active flux currently - so for the time being
> > enable the 2 services PMG needs unconditionally.
>
> Doesn't catches the on-top of plain Debian installation though? Why not
> address this in our clamav packages?
Would also be an option - but tbh - the current intermediate version we
ship should get replaced by the next update to clamav with (one of) the
next trixie point releases - and I'd want to avoid tracking clamav
ourselves, if the only diff is the service enablement.
I sent a MR upstream last time (PMG 9.0):
https://salsa.debian.org/clamav-team/clamav/-/merge_requests/7
while this was not merged as is - there have been 3-4 different variants
of how and which services are enabled and started in different branches
and tags on salsa. - I don't mean to complain - but to say that I think
this will take a while until the dust settles.
>
> Auto-enabling services from other packages in the postinst on every update
> seems also rather ugly.
agreed - and afaict there were request by users (probably in our community
forum as I did not find it in bugzilla from a quick search) that requested
to not have clamav restarted once per hour (old code in pmg-hourly from a
time when clamav was not running as stable I guess).
I'd add a bugzilla issue for making it possible to not have clamav running
without masking it (which is the current escape-hatch users have)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled
2026-06-09 11:09 ` Stoiko Ivanov
@ 2026-06-09 11:15 ` Thomas Lamprecht
0 siblings, 0 replies; 8+ messages in thread
From: Thomas Lamprecht @ 2026-06-09 11:15 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: pmg-devel
On 09/06/2026 13:09, Stoiko Ivanov wrote:
> On Tue, 9 Jun 2026 12:49:20 +0200
> Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
>
>> On 09/06/2026 12:07, Stoiko Ivanov wrote:
>>> debian upstream's clamav packaging had some changes recently as to which
>>> services are enabled by default.
>>> This seems somewhat in active flux currently - so for the time being
>>> enable the 2 services PMG needs unconditionally.
>>
>> Doesn't catches the on-top of plain Debian installation though? Why not
>> address this in our clamav packages?
> Would also be an option - but tbh - the current intermediate version we
> ship should get replaced by the next update to clamav with (one of) the
> next trixie point releases - and I'd want to avoid tracking clamav
> ourselves, if the only diff is the service enablement.
Why? I'd always want to track such core packages for a product to reduce
reliance on external dependencies and avoid a few surprise like here, and
it's not like it would be _that_ much work?
> I sent a MR upstream last time (PMG 9.0):
> https://salsa.debian.org/clamav-team/clamav/-/merge_requests/7
> while this was not merged as is - there have been 3-4 different variants
> of how and which services are enabled and started in different branches
> and tags on salsa. - I don't mean to complain - but to say that I think
> this will take a while until the dust settles.
Supports my point above.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-06-09 11:15 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-09 10:07 [PATCH pve-installer/pmg-api 0/2] ensure clamav-daemon is enabled Stoiko Ivanov
2026-06-09 10:07 ` [PATCH pmg-api 1/2] d/postinst: ensure that " Stoiko Ivanov
2026-06-09 10:07 ` [PATCH installer 2/2] pmg: ensure " Stoiko Ivanov
2026-06-09 10:18 ` Christoph Heiss
2026-06-09 10:49 ` [PATCH pve-installer/pmg-api 0/2] " Thomas Lamprecht
2026-06-09 10:53 ` Thomas Lamprecht
2026-06-09 11:09 ` Stoiko Ivanov
2026-06-09 11:15 ` Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox