| View previous topic :: View next topic |
| Author |
Message |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1490
|
 Posted: Fri Jul 23, 2021 2:08 pm Post subject: clamd crashes after logrotate |
 |
|
Hello all
I've been struggling with clamav lately with the most recent update. I've been having crashing issues the last couple of days until I updated PID location. Things are much more stable, but now, when I run nightly logrotate on mail, amavis is complaining that clam fails and this will go for a few hours and clam is back. Here is a log snip:
| Code: | Jul 23 04:11:29 comp amavis[30093]: (30093-08) (!)terminating process [31504] running ClamAV-clamdscan (reason: on reading: timed out)
Jul 23 04:11:29 comp amavis[28870]: (28870-14) (!)terminating process [31503] running ClamAV-clamdscan (reason: on reading: timed out)
Jul 23 04:11:30 comp amavis[30093]: (30093-08) (!)process [31504] running ClamAV-clamdscan is still alive, using a bigger hammer (SIGKILL)
Jul 23 04:11:30 comp amavis[30093]: (30093-08) (!)run_av (ClamAV-clamdscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 5120.
Jul 23 04:11:30 comp amavis[30093]: (30093-08) (!)ClamAV-clamdscan av-scanner FAILED: run_av error: Exceeded allowed time\n
Jul 23 04:11:30 comp amavis[28870]: (28870-14) (!)process [31503] running ClamAV-clamdscan is still alive, using a bigger hammer (SIGKILL)
Jul 23 04:11:30 comp amavis[28870]: (28870-14) (!)run_av (ClamAV-clamdscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 5120.
Jul 23 04:11:30 comp amavis[28870]: (28870-14) (!)ClamAV-clamdscan av-scanner FAILED: run_av error: Exceeded allowed time\n
Jul 23 04:11:30 comp amavis[30093]: (30093-08) (!)WARN: all primary virus scanners failed, considering backups
Jul 23 04:11:30 comp amavis[28870]: (28870-14) (!)WARN: all primary virus scanners failed, considering backups
Jul 23 04:12:38 comp amavis[30093]: (30093-08) (!)terminating process [26503] running ClamAV-clamscan (reason: on reading: timed out)
Jul 23 04:12:40 comp amavis[28870]: (28870-14) (!)terminating process [26506] running ClamAV-clamscan (reason: on reading: timed out)
Jul 23 04:12:40 comp amavis[30093]: (30093-08) (!)run_av (ClamAV-clamscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 5120.
Jul 23 04:12:40 comp amavis[30093]: (30093-08) (!)ClamAV-clamscan av-scanner FAILED: run_av error: Exceeded allowed time\n
Jul 23 04:12:41 comp amavis[28870]: (28870-14) (!)process [26506] running ClamAV-clamscan is still alive, using a bigger hammer (SIGKILL)
Jul 23 04:12:41 comp amavis[28870]: (28870-14) (!)run_av (ClamAV-clamscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 5120.
Jul 23 04:12:41 comp amavis[30093]: (30093-08) (!!)AV: ALL VIRUS SCANNERS FAILED
Jul 23 04:12:42 comp amavis[28870]: (28870-14) (!)ClamAV-clamscan av-scanner FAILED: run_av error: Exceeded allowed time\n
Jul 23 04:12:42 comp amavis[28870]: (28870-14) (!!)AV: ALL VIRUS SCANNERS FAILED |
This is my @av_scanners for clamdscan
| Code: | ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
|
Here are my versions:
| Code: | [ebuild R ] app-antivirus/clamav-0.103.2::gentoo USE="bzip2 iconv -clamdtop -clamonacc -clamsubmit -doc -ipv6 -libclamav-only -metadata-analysis-api -milter (-selinux) -systemd -test (-uclibc) -xml (-libressl%)" 13,075 KiB
[ebuild R ] mail-filter/amavisd-new-2.12.0-r5::gentoo USE="mysql -clamav -courier -dkim -ldap -postgres -qmail -razor -rspamd -rspamd-https -snmp -spamassassin" 854 KiB |
Here is my snippet from logrotate:
| Code: | cat /etc/logrotate.d/mail
/var/log/mail.log {
missingok
compress
daily
rotate 21
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}
|
In case it's related to clamd rotate, here is that bit:
| Code: |
cat /etc/logrotate.d/clamd
/var/log/clamav/clamd.log {
su clamav clamav
missingok
postrotate
if test -f /run/clamd.pid; then
/bin/kill -HUP $(cat /run/clamd.pid)
else
true
fi
endscript
} |
Thanks
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
 |
freke
l33t
Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
|
| Posted: Fri Jul 23, 2021 7:43 pm Post subject: |
|
|
You could try disabling logrotation for clamd in LogRotate and instead enable it in /etc/clamd.conf | Code: | # Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes |
Just to see if anything changes? |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1490
|
| Posted: Fri Jul 23, 2021 8:05 pm Post subject: |
|
|
| freke wrote: | You could try disabling logrotation for clamd in LogRotate and instead enable it in /etc/clamd.conf | Code: | # Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes |
Just to see if anything changes? |
Good idea. I'll give it a shot.
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
freke
l33t
Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
|
| Posted: Fri Jul 23, 2021 9:54 pm Post subject: |
|
|
Another alternative could be trying to use ClamAV via a socket-file instead (that's how I do it on my Postfix+rSpamd setup).
ie. something like | Code: | ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# # uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". |
Modify the path to the socketfile as required... |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1490
|
| Posted: Fri Jul 23, 2021 10:04 pm Post subject: |
|
|
| freke wrote: | Another alternative could be trying to use ClamAV via a socket-file instead (that's how I do it on my Postfix+rSpamd setup).
ie. something like | Code: | ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# # uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". |
Modify the path to the socketfile as required... |
Thanks.. that was I originally had, but after upgrading clamav I started showing 'crashed' in rc-status and another thread led me down to clamdscan instead... which helped. But now I have the logrotate issue. At least that's once a night vs. several times throughout the day.
Here is that post for reference:
https://forums.gentoo.org/viewtopic-t-1119562-highlight-clam.html
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1490
|
| Posted: Sat Jul 24, 2021 3:58 am Post subject: |
|
|
| freke wrote: | You could try disabling logrotation for clamd in LogRotate and instead enable it in /etc/clamd.conf | Code: | # Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes |
Just to see if anything changes? |
I was thinking about this. I don't think this would help. The mail script is a daily rotate, and that is what is failing. Clamd is weekly. So the action of the syslog-ng reload is causing the problem I think.
| Code: | /var/log/mail.log {
missingok
compress
daily
rotate 21
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}
|
So, to me, that's weird. Mail/Amavis is not being restarted (or shouldn't be), and clam at this point drops out.
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1490
|
| Posted: Sat Jul 24, 2021 4:11 am Post subject: |
|
|
Hmmm.. I'm wondering if it's not logrotate after all. There is a database modification at the same time
| Code: | Fri Jul 23 04:05:54 2021 -> SelfCheck: Database modification detected. Forcing reload.
Fri Jul 23 04:05:55 2021 -> Reading databases from /var/lib/clamav
Fri Jul 23 04:06:37 2021 -> Database correctly reloaded (8555330 signatures)
Fri Jul 23 04:06:37 2021 -> Activating the newly loaded database...
Fri Jul 23 04:54:20 2021 -> SelfCheck: Database status OK. |
Notice that the next Database status OK was almost an hour later. This period of time is when amavis is pissed.
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
freke
l33t
Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
|
| Posted: Sat Jul 24, 2021 3:00 pm Post subject: |
|
|
I guess freshclam has updated the db - and at the first db-check after chat clamd noticed it and reloaded.
freshclam can be setup to notify clamd of updates: /etc/freshclam.conf | Code: | # Send the RELOAD command to clamd.
# Default: no
NotifyClamd /etc/clamd.conf |
ie. I have never seen the Database modification detected - I have this in my syslog | Code: | Jul 24 11:28:37 mail.vlh.dk clamd SelfCheck: Database status OK.
Jul 24 11:38:11 mail.vlh.dk freshclam Received signal: wake up
Jul 24 11:38:12 mail.vlh.dk freshclam ClamAV update process started at Sat Jul 24 11:38:11 2021
Jul 24 11:38:12 mail.vlh.dk freshclam daily database available for update (local version: 26241, remote version: 26242)
Jul 24 11:38:16 mail.vlh.dk freshclam Testing database: '/var/lib/clamav/tmp.e84f6df5a7/clamav-3f5b1b2cadc67077079c95f882f25c71.tmp-daily.cld' ...
Jul 24 11:38:37 mail.vlh.dk clamd SelfCheck: Database status OK.
Jul 24 11:38:47 mail.vlh.dk freshclam Database test passed.
Jul 24 11:38:47 mail.vlh.dk freshclam daily.cld updated (version: 26242, sigs: 1963537, f-level: 90, builder: raynman)
Jul 24 11:38:47 mail.vlh.dk freshclam main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
Jul 24 11:38:47 mail.vlh.dk freshclam bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 24 11:38:47 mail.vlh.dk freshclam Clamd successfully notified about the update.
Jul 24 11:38:47 mail.vlh.dk freshclam --------------------------------------
Jul 24 11:38:47 mail.vlh.dk clamd Reading databases from /var/lib/clamav
Jul 24 11:40:21 mail.vlh.dk clamd Database correctly reloaded (8555475 signatures)
Jul 24 11:40:21 mail.vlh.dk clamd Activating the newly loaded database...
Jul 24 11:50:26 mail.vlh.dk clamd SelfCheck: Database status OK. |
My mail-server is very low volume, so I wouldn't actually know if it rSpamd would complain during the db-update/reload period. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
