clamav
clamav copied to clipboard
Cisco-Talos
Azure Kubernetes Service - "can't connect your clamd clamd.sock connection refused" after 24 hours
Hi,
I'm deploying to AKS and I have this error showing up 24 hours after each deployment:
^clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: Connection refused
when I look at the socket (/run/clamav/clamd.sock) it shows me this error:
can't open clamd.sock: No such device or address
here is the clamd.conf configuration:
User clamav TCPSocket 3310 TCPAddr 0.0.0.0 PidFile /run/lock/clamd.pid LocalSocket /run/clamav/clamd.sock
do you have a solution or an idea? thank you in advance !
Not using AKS, but I've been trying to get this container to work with ACS, with no luck outside of manually running command clamd restart and absurd similar behavior after 24 hours, which I determined was the from the freshclam command and the clamd not running. At least within ACS.
I am curious since you are also using Azure, if you have the time/resources could you see if you also have this same issue as I posted here: https://github.com/Cisco-Talos/clamav/issues/567 I ended up using the unofficial container mko-x/docker-clamav hoping someone with a better understanding could figure out the root cause.
I'm also having the same problem but with Docker on Ubuntu. Somehow clamd just stopped working after started for a while and no log was printed about the error.
Here are some logs:
/var/log/clamav/freshclam.log
--------------------------------------
Received signal: wake up
ClamAV update process started at Wed May 11 03:19:58 2022
daily database available for update (local version: 26536, remote version: 26537)
Testing database: '/var/lib/clamav/tmp.38a89007fe/clamav-e967658444338ed3e0c279c281371897.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 26537, sigs: 1984235, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: Connection refused
--------------------------------------
/var/log/clamav/clamd.log
Tue May 10 09:31:12 2022 -> SelfCheck: Database status OK.
Tue May 10 09:41:16 2022 -> SelfCheck: Database status OK.
Tue May 10 09:51:19 2022 -> SelfCheck: Database status OK.
Tue May 10 10:01:23 2022 -> SelfCheck: Database status OK.
Tue May 10 10:11:26 2022 -> SelfCheck: Database status OK.
Tue May 10 10:21:30 2022 -> SelfCheck: Database status OK.
Tue May 10 10:31:34 2022 -> SelfCheck: Database status OK.
Wed May 11 04:22:32 2022 -> +++ Started at Wed May 11 04:22:32 2022
Wed May 11 04:22:32 2022 -> Received 0 file descriptor(s) from systemd.
Wed May 11 04:22:32 2022 -> clamd daemon 0.104.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Wed May 11 04:22:32 2022 -> Log file size limited to 1048576 bytes.
Wed May 11 04:22:32 2022 -> Reading databases from /var/lib/clamav
Wed May 11 04:22:32 2022 -> Not loading PUA signatures.
Wed May 11 04:22:32 2022 -> Bytecode: Security mode set to "TrustSigned".
Wed May 11 04:23:12 2022 -> Loaded 8616297 signatures.
Wed May 11 04:23:24 2022 -> TCP: Bound to [0.0.0.0]:3310
Wed May 11 04:23:24 2022 -> TCP: Setting connection queue length to 200
Wed May 11 04:23:24 2022 -> LOCAL: Unix socket file /run/clamav/clamd.sock
Wed May 11 04:23:24 2022 -> LOCAL: Setting connection queue length to 200
Wed May 11 04:23:24 2022 -> Limits: Global time limit set to 120000 milliseconds.
Wed May 11 04:23:24 2022 -> Limits: Global size limit set to 104857600 bytes.
Wed May 11 04:23:24 2022 -> Limits: File size limit set to 26214400 bytes.
Wed May 11 04:23:24 2022 -> Limits: Recursion level limit set to 17.
Wed May 11 04:23:24 2022 -> Limits: Files limit set to 10000.
Wed May 11 04:23:24 2022 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Wed May 11 04:23:24 2022 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Wed May 11 04:23:24 2022 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Wed May 11 04:23:24 2022 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Wed May 11 04:23:24 2022 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Wed May 11 04:23:24 2022 -> Limits: MaxPartitions limit set to 50.
Wed May 11 04:23:24 2022 -> Limits: MaxIconsPE limit set to 100.
Wed May 11 04:23:24 2022 -> Limits: MaxRecHWP3 limit set to 16.
Wed May 11 04:23:24 2022 -> Limits: PCREMatchLimit limit set to 100000.
Wed May 11 04:23:24 2022 -> Limits: PCRERecMatchLimit limit set to 2000.
Wed May 11 04:23:24 2022 -> Limits: PCREMaxFileSize limit set to 26214400.
Wed May 11 04:23:24 2022 -> Archive support enabled.
Wed May 11 04:23:24 2022 -> AlertExceedsMax heuristic detection disabled.
Wed May 11 04:23:24 2022 -> Heuristic alerts enabled.
Wed May 11 04:23:24 2022 -> Portable Executable support enabled.
Wed May 11 04:23:24 2022 -> ELF support enabled.
Wed May 11 04:23:24 2022 -> Mail files support enabled.
Wed May 11 04:23:24 2022 -> OLE2 support enabled.
Wed May 11 04:23:24 2022 -> PDF support enabled.
Wed May 11 04:23:24 2022 -> SWF support enabled.
Wed May 11 04:23:24 2022 -> HTML support enabled.
Wed May 11 04:23:24 2022 -> XMLDOCS support enabled.
Wed May 11 04:23:24 2022 -> HWP3 support enabled.
Wed May 11 04:23:24 2022 -> Self checking every 600 seconds.
Wed May 11 04:23:24 2022 -> Set stacksize to 1048576
Wed May 11 04:33:36 2022 -> SelfCheck: Database status OK.
Wed May 11 04:43:39 2022 -> SelfCheck: Database status OK.
I believe this may be related to freshclam? When running in a pod in kubernetes, I notice clamd is listening on TCP. But right after freshclam finishes and the pod goes to READY status... I think freshclam tells clamd to HUP maybe? Which is not a thing in pods and so it just stops listening.
> ps aux
18 clamav 0:25 clamd --foreground
> netstat -tunlp
tcp 0 0 0.0.0.0:3310 0.0.0.0:* LISTEN -
## After freshclam finishes and notifies clamd
> ps aux
18 clamav 0:37 [clamd]
> netstat -tunlp
NOTHING
Ah... I believe it's #330 . This Issue can probably be closed as a duplicate.
Yes I think this is a duplicate.
As noted in #330, I believe the issue is that the container need more RAM in order to concurrently reload the databases. So when an update to the database happens, clamd attempts to reload, runs out of memory, and is killed.
