[clamav-users] Maximize availability during rule loading

Mon Nov 28 16:23:00 UTC 2016

Hi,

As this question comes back now and then (from me in the past as well), I have a proposal IF 
you have enough RAM. On reload:
- start a second instance with a slightly different config file containing "LocalSocket 
.../clamd.sock.new"
- wait in the logs for "Database correctly reloaded"
- stop the first instance
- mv .../clamd.sock.new .../clamd.sock

I see some possible issues though:
- Other programs are connected to the original socket, but I suppose the socket will be 
deleted when the first instance stops, so the other parties will try to reconnect and then 
communicate with the new instance.
- The log file that would be opened and updated by both instances. The LogFileUnlock option 
might be necessary but then the messages from one might overwrite those from the other. 
So, if possible, the syslog could be used instead. Without the syslog I think it would be better 
to define a clamd.log.new for the second instance and rotate the log file after the first 
instance is stopped (clamd.log -> clamd.log.prev, clamd.log.new -> clamd.log, clamd.log.prev 
-> clamd.log.new). The LogRotate might need to be disabled in the conf file and done outside 
of clamd.
- The PidFile should be disabled (both instance would be killed at service stop). Anyway on 
my system the service stop procedure uses a "pkill -x $prog", that means it would not stop 
the "clamd --config ...clamd.conf.new" if it is running...
- If the database is not reloaded correctly both instances might remain up, we should wait for 
the message with a timeout.
- It would not work in TCPSocket mode, only in LocalSocket mode.

Do you think this would work? Of course you would need temporarily an additional ~1GB of 
RAM...

Somehow I must say I don't much like this procedure: it's a bit tricky. I would prefer to have 2 
real service instances, each with its own configuration file, one persistently enabled, the other 
not as it would be enabled temporarily during a db reload. But then I guess I would need 2 
different socket, log and pid files.

As I'm using mimedefang to connect to the socket I could maybe make it failover to the 
second socket in case the first one is not responding... I think it is a matter of updating 
mimedefang-filter:
< my($code, $category, $action) = message_contains_virus();
------
> $ClamdSock = /...first.sock;
> my($code, $category, $action) = message_contains_virus();
> if ($action eq "tempfail") {
>   $ClamdSock = /...second.sock;
>   my($code, $category, $action) = message_contains_virus();
> }

The on reload procedure would do:
- start a second service instance with its different config (socket, log, pid)
- wait in the log for "Database correctly reloaded"
- reload the first instance
- wait in the log for "Database correctly reloaded"
- stop the second instance

Thanks,
Pierre

On 20 Nov 2016 at 17:24, Charles Sprickman wrote:

Hi all,

I have two VMs running clamav and I monitor both with a simple nagios check (it sends, 
PING, waits for PONG).  I have been getting quite a few notifications lately after adding sane 
security and other 3rd party AV rulesets.  Looking at the logs, I see that my timeouts line up 
with the reloading messages:

Nov 20 16:39:02 spam-a clamd[1417]: Reading databases from /var/db/clamav
Nov 20 16:41:14 spam-a clamd[1417]: Database correctly reloaded (7986341 signatures)

I do have two servers, so if this is expected behavior, I´ll just make nagios less touchy and let 
the mail server just fail over to the other box.  If not, what can be done to maintain availability 
while the db reloads?  I currently reload every hour (based on clamd.conf), occasionally more 
often if there are new rules detected by clamav-unofficial-sigs.

Thanks,

Charles
-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml