Arnaud Huret schrieb: > Dear all, > > We are running a webmail service using ClamAV and get roughtly 30.000 valid > mails/day. > We run home-build SMTP servers calling clamd, emulating the client. > > The problem : > > After running +- 10 minutes, clamd.log reports a first message saying : > 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or > 2 minutes, we get another message : 'ERROR: accept() failed: Too many open > files' and, I guess, clamd does not respond any more. > Need to restart the daemon to restore the service. > > I tried the following tunning : > > 1. Increase the number of threads from 10 to 30 for reducing the queue: no > changes, still errors. > 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still > errors. > > > Other info : > > Clamd runs as non-root user. > Launch script is : /etc/init.d/clamav_daemon start (not modified from > orginal). > ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz > Intel chassis. > SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, > ...) > > > Mitigating factors (;-) > > Running the same config on a more powerfull box does not generate the prob > (2*3GH + multithreading) > > clamd.conf : > > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #LocalSocket /var/run/clamav/clamd.ctl > FixStaleSocket > User clamav > AllowSupplementaryGroups > ArchiveMaxRecursion 10 > ArchiveMaxFiles 1500 > ArchiveMaxFileSize 30M > ArchiveMaxCompressionRatio 300 > ArchiveBlockEncrypted > ArchiveBlockMax > ReadTimeout 300 > > #Modified by AH 27/04/2005. Was : 10 > MaxThreads 30 > > MaxConnectionQueueLength 15 > LogFile /var/log/clamav/clamav.log > LogTime > LogFileMaxSize 0 > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > ScanMail > ScanArchive > ScanHTML > ScanOLE2 > ScanPE > TCPSocket 3310 > DetectBrokenExecutables > > #added by AH 27/04/2005 > StreamMaxLength 20M > > > Example of an error report : > > cruella:/var/log# tail -f /var/log/clamav/clamav.log > Wed Apr 27 13:38:17 2005 -> Archive support enabled. > Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled. > Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives. > Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits. > Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled. > Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled. > Wed Apr 27 13:38:17 2005 -> Mail files support enabled. > Wed Apr 27 13:38:17 2005 -> OLE2 support enabled. > Wed Apr 27 13:38:17 2005 -> HTML support enabled. > Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds. > Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND > Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND > Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND > Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND > Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND > Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND > Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND > Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout. > Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. > Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. > > ... > Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files > Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files > .... > > > > Has anyone faced the same issue before ? > Is there a known way to fix this problem ? > Any advice ? > > > Any help would be greatly appreciated. > Thanks, > > Arnaud Huret > ContactOffice Hi, I've never seen this before, even on busy servers. Which clamav version is this? And where did you get the .deb file (if any) from?
If this happens again you could do an "lsof -p `cat /var/run/clamav/clamd.pid`", this might give some hints if there is some file descriptor leak. Thomas _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
