Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] ClamAV 0.105.0 service deployed as a Docker container on AWS ECS seem to stop abruptly on startup
clamav-users at lists
May 11, 2022, 6:38 PM
Post #1 of 3 (353 views)
Permalink
Hello,

We have deployed ClamAV as an AWS ECS service using image Uri
docker.io/clamav/clamav:latest
However, the clamav service is not starting properly.

The file /var/log/clamav/clamd.log shows the lines:

Tue May 10 20:14:28 2022 -> +++ Started at Tue May 10 20:14:28 2022
Tue May 10 20:14:28 2022 -> Received 0 file descriptor(s) from systemd.
Tue May 10 20:14:28 2022 -> clamd daemon 0.105.0 (OS: Linux, ARCH:
x86_64, CPU: x86_64)
Tue May 10 20:14:28 2022 -> Log file size limited to 1048576 bytes.
Tue May 10 20:14:28 2022 -> Reading databases from /var/lib/clamav
Tue May 10 20:14:28 2022 -> Not loading PUA signatures.
Tue May 10 20:14:28 2022 -> Bytecode: Security mode set to "TrustSigned".
Tue May 10 20:14:45 2022 -> Loaded 8615352 signatures.
Tue May 10 20:14:49 2022 -> TCP: Bound to []:3310
Tue May 10 20:14:49 2022 -> TCP: Setting connection queue length to 200
Tue May 10 20:14:49 2022 -> LOCAL: Unix socket file /run/clamav/clamd.sock
Tue May 10 20:14:49 2022 -> LOCAL: Setting connection queue length to 200
Tue May 10 20:14:49 2022 -> Limits: Global time limit set to 120000
milliseconds.
Tue May 10 20:14:49 2022 -> Limits: Global size limit set to 419430400 bytes.
Tue May 10 20:14:49 2022 -> Limits: File size limit set to 104857600 bytes.
Tue May 10 20:14:49 2022 -> Limits: Recursion level limit set to 17.
Tue May 10 20:14:49 2022 -> Limits: Files limit set to 10000.
Tue May 10 20:14:49 2022 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Tue May 10 20:14:49 2022 -> Limits: MaxHTMLNormalize limit set to
41943040 bytes.
Tue May 10 20:14:49 2022 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Tue May 10 20:14:49 2022 -> Limits: MaxScriptNormalize limit set to
20971520 bytes.
Tue May 10 20:14:49 2022 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Tue May 10 20:14:49 2022 -> Limits: MaxPartitions limit set to 50.
Tue May 10 20:14:49 2022 -> Limits: MaxIconsPE limit set to 100.
Tue May 10 20:14:49 2022 -> Limits: MaxRecHWP3 limit set to 16.
Tue May 10 20:14:49 2022 -> Limits: PCREMatchLimit limit set to 100000.
Tue May 10 20:14:49 2022 -> Limits: PCRERecMatchLimit limit set to 2000.
Tue May 10 20:14:49 2022 -> Limits: PCREMaxFileSize limit set to 104857600.
Tue May 10 20:14:49 2022 -> Archive support enabled.
Tue May 10 20:14:49 2022 -> AlertExceedsMax heuristic detection disabled.
Tue May 10 20:14:49 2022 -> Heuristic alerts enabled.
Tue May 10 20:14:49 2022 -> Portable Executable support enabled.
Tue May 10 20:14:49 2022 -> ELF support enabled.
Tue May 10 20:14:49 2022 -> Mail files support enabled.
Tue May 10 20:14:49 2022 -> OLE2 support enabled.
Tue May 10 20:14:49 2022 -> PDF support enabled.
Tue May 10 20:14:49 2022 -> SWF support enabled.
Tue May 10 20:14:49 2022 -> HTML support enabled.
Tue May 10 20:14:49 2022 -> XMLDOCS support enabled.
Tue May 10 20:14:49 2022 -> HWP3 support enabled.
Tue May 10 20:14:49 2022 -> Self checking every 600 seconds.
Tue May 10 20:14:49 2022 -> Set stacksize to 1048576
Tue May 10 20:14:59 2022 -> Reading databases from /var/lib/clamav

The only way to recover is to manually start the service by executing
the clamd command from the container.

We did try using an image from http://docker.io/mkodockx/docker-clamav
and that seemed to start properly.

I need help understanding why the clamav service seems to hang after
the container starts. Are there any other logs that will help
understand the issue?

Regards,
John
Re: [clamav-users] ClamAV 0.105.0 service deployed as a Docker container on AWS ECS seem to stop abruptly on startup [ In reply to ]
clamav-users at lists
May 12, 2022, 1:25 AM
Post #2 of 3 (353 views)
Permalink
Hi there,

On Wed, 11 May 2022, John Varghese via clamav-users wrote:

> ...
> Tue May 10 20:14:59 2022 -> Reading databases from /var/lib/clamav
>
> I need help understanding why the clamav service seems to hang after
> the container starts.

Using clamd with Docker is a bit new. I never tried it - I wouldn't
even consider it until it's bedded down for a couple of years - but
there do seem to be a few people using it. I guess others with more
experience than I may be able to help if it's a genuine clamd/docker
issue which doesn't appear elsewhere. There have been one or two of
those recently if you trawl the list archives, I'm afraid I can't be
precise because I more or less ignore things related to Docker. The
search engines should make it easy to search for anything related to
Docker in the archives. It should also be easy to search the issues
in Github (unless you're using the same browser that I use, Palemoon,
which apparently can't handle anything with 'git' in the domain name).

But first, are you sure it's hanging? Is it perhaps just taking some
time to read the signature files? I've seen some systems take several
minutes to do that.

> Are there any other logs that will help understand the issue?

There are system logs which might help, but I wonder if we can get
more information about what's happening from clamd. You can increase
the verbosity in the clamd log the clamd configuration file (see docs)
and then you can see what's being loaded as it happens.

What do you see if you run 'top' while you're starting clamd? I'd
expect if you sort the output by memory consumed that you'd see a
clamd process climb to the top of the list and stay there. While it's
loading signatures you'll see whatever CPUs it's allowed to use being
fully utilized until the signatures are loaded, then after some time
(depending on the CPU cycles/s available to clamd) CPU usage will drop
away more or less to zero until clamd is instructed to scan something.

If the process just disappears of course you have a problem. How much
RAM is available? You should budget at least 2GB for clamd. I'd say
3GB would be safer, and 4GB not unreasonable. You can reduce RAM used
during the database reloads with a configuration option at the cost of
not being able to scan anything during a reload.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV 0.105.0 service deployed as a Docker container on AWS ECS seem to stop abruptly on startup [ In reply to ]
clamav-users at lists
May 12, 2022, 8:14 AM
Post #3 of 3 (351 views)
Permalink
Thanks. We resolved the issue by increasing the memory in the
AWS::ECS::TaskDefinition for the clamav service and present in the
Cloudformation from 2GB to 3GB

Regards,
John Varghese


On Thu, May 12, 2022 at 4:27 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Wed, 11 May 2022, John Varghese via clamav-users wrote:
>
> > ...
> > Tue May 10 20:14:59 2022 -> Reading databases from /var/lib/clamav
> >
> > I need help understanding why the clamav service seems to hang after
> > the container starts.
>
> Using clamd with Docker is a bit new. I never tried it - I wouldn't
> even consider it until it's bedded down for a couple of years - but
> there do seem to be a few people using it. I guess others with more
> experience than I may be able to help if it's a genuine clamd/docker
> issue which doesn't appear elsewhere. There have been one or two of
> those recently if you trawl the list archives, I'm afraid I can't be
> precise because I more or less ignore things related to Docker. The
> search engines should make it easy to search for anything related to
> Docker in the archives. It should also be easy to search the issues
> in Github (unless you're using the same browser that I use, Palemoon,
> which apparently can't handle anything with 'git' in the domain name).
>
> But first, are you sure it's hanging? Is it perhaps just taking some
> time to read the signature files? I've seen some systems take several
> minutes to do that.
>
> > Are there any other logs that will help understand the issue?
>
> There are system logs which might help, but I wonder if we can get
> more information about what's happening from clamd. You can increase
> the verbosity in the clamd log the clamd configuration file (see docs)
> and then you can see what's being loaded as it happens.
>
> What do you see if you run 'top' while you're starting clamd? I'd
> expect if you sort the output by memory consumed that you'd see a
> clamd process climb to the top of the list and stay there. While it's
> loading signatures you'll see whatever CPUs it's allowed to use being
> fully utilized until the signatures are loaded, then after some time
> (depending on the CPU cycles/s available to clamd) CPU usage will drop
> away more or less to zero until clamd is instructed to scan something.
>
> If the process just disappears of course you have a problem. How much
> RAM is available? You should budget at least 2GB for clamd. I'd say
> 3GB would be safer, and 4GB not unreasonable. You can reduce RAM used
> during the database reloads with a configuration option at the cost of
> not being able to scan anything during a reload.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal