'Re: [clamav-users] Time out under load'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] Time out under load
From:       David Raynor <draynor () sourcefire ! com>
Date:       2012-08-22 15:47:21
Message-ID: CAAmFFgwCB=Ov-NU_UBT-ubOpj39iHGMRPf_7P0FXCdKy29gqgw () mail ! gmail ! com
[Download RAW message or body]

On Wed, Aug 22, 2012 at 10:14 AM, Binole, Bill <BBinole@medplus.com> wrote:

> We are seeing this error ERROR: ScanStream 31310: accept timeout. in our
> clamd log when we test calmd with a load.   The failures happen when we
> have 10 simultaneous connections to clamd.  We are stream scanning and are
> using libclamav-1.0 to construct our java client.  I have seen old posts
> where stream scanning had issues but they were many years old.  We are
> currently running clamd daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU:
> x86_64) .    Startup of the daemon is below.
>
>
> Mon Aug 20 15:47:48 2012 -> +++ Started at Mon Aug 20 15:47:48 2012
> Mon Aug 20 15:47:48 2012 -> clamd daemon 0.97.4 (OS: linux-gnu, ARCH:
> x86_64, CPU: x86_64)
> Mon Aug 20 15:47:48 2012 -> Running as user clamav (UID 471, GID 441)
> Mon Aug 20 15:47:48 2012 -> Log file size limited to -1 bytes.
> Mon Aug 20 15:47:48 2012 -> Reading databases from /var/clamav
> Mon Aug 20 15:47:48 2012 -> Not loading PUA signatures.
> Mon Aug 20 15:47:48 2012 -> Bytecode: Security mode set to "TrustSigned".
> Mon Aug 20 15:47:51 2012 -> Loaded 1295058 signatures.
> Mon Aug 20 15:47:51 2012 -> TCP: Bound to address 172.18.33.70 on port 3310
> Mon Aug 20 15:47:51 2012 -> TCP: Setting connection queue length to 200
> Mon Aug 20 15:47:51 2012 -> LOCAL: Removing stale socket file
> /var/run/clamav/clamd.sock
> Mon Aug 20 15:47:51 2012 -> LOCAL: Unix socket file
> /var/run/clamav/clamd.sock
> Mon Aug 20 15:47:51 2012 -> LOCAL: Setting connection queue length to 200
> Mon Aug 20 15:47:51 2012 -> Limits: Global size limit set to 104857600
> bytes.
> Mon Aug 20 15:47:51 2012 -> Limits: File size limit set to 26214400 bytes.
> Mon Aug 20 15:47:51 2012 -> Limits: Recursion level limit set to 16.
> Mon Aug 20 15:47:51 2012 -> Limits: Files limit set to 10000.
> Mon Aug 20 15:47:51 2012 -> Limits: Core-dump limit is 0.
> Mon Aug 20 15:47:51 2012 -> Archive support enabled.
> Mon Aug 20 15:47:51 2012 -> Algorithmic detection enabled.
> Mon Aug 20 15:47:51 2012 -> Portable Executable support enabled.
> Mon Aug 20 15:47:51 2012 -> ELF support enabled.
> Mon Aug 20 15:47:51 2012 -> Detection of broken executables enabled.
> Mon Aug 20 15:47:52 2012 -> Mail files support enabled.
> Mon Aug 20 15:47:52 2012 -> OLE2 support enabled.
> Mon Aug 20 15:47:52 2012 -> PDF support enabled.
> Mon Aug 20 15:47:52 2012 -> HTML support enabled.
> Mon Aug 20 15:47:52 2012 -> Self checking every 1200 seconds.
> Mon Aug 20 15:47:52 2012 -> Listening daemon: PID: 2124
> Mon Aug 20 15:47:52 2012 -> WARNING: MaxThreads * MaxRecursion is too
> high: 1600, open file descriptor limit is: 1024
> Mon Aug 20 15:47:52 2012 -> WARNING: MaxQueue value too high, lowering to:
> 100
> Mon Aug 20 15:47:52 2012 -> MaxQueue set to: 100
>
> Regards,
> Bill
>
>
>
>
>
>
> Confidentiality Notice: The information contained in this electronic
> transmission is confidential and may be legally privileged. It is intended
> only for the addressee(s) named above. If you are not an intended
> recipient, be aware that any disclosure, copying, distribution or use of
> the information contained in this transmission is prohibited and may be
> unlawful. If you have received this transmission in error, please notify us
> by telephone (513) 229-5500 or by email (postmaster@MedPlus.com). After
> replying, please erase it from your computer system.
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

Bill,

The "accept timeout" here is a sign that a thread has spun up but is not
receiving anything. It is listening but no data appears for it to accept.
The number (31310) is the port that the thread was using. You can use that
to compare to logs of your client's behavior.

If you need to extend this timeout value to help debug your issue, the one
that is relevant here is the "CommandReadTimeout" setting in clamd.conf.
You can also check the "StreamMinPort" and "StreamMaxPort" values. From
your settings, it looks like you have set "MaxThreads" to 100.

Hope this helps,

Dave R.

-- 
---
Dave Raynor
Sourcefire Vulnerability Research Team
draynor@sourcefire.com
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic