Mailing List Archive: ClamAV: users

Time out under load

Index | Next | Previous | View Threaded

BBinole at medplus

Aug 22, 2012, 7:14 AM

Post #1 of 2 (512 views)
Permalink

Time out under load

We are seeing this error ERROR: ScanStream 31310: accept timeout. in our clamd log when we test calmd with a load. The failures happen when we have 10 simultaneous connections to clamd. We are stream scanning and are using libclamav-1.0 to construct our java client. I have seen old posts where stream scanning had issues but they were many years old. We are currently running clamd daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) . Startup of the daemon is below.

Mon Aug 20 15:47:48 2012 -> +++ Started at Mon Aug 20 15:47:48 2012
Mon Aug 20 15:47:48 2012 -> clamd daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Mon Aug 20 15:47:48 2012 -> Running as user clamav (UID 471, GID 441)
Mon Aug 20 15:47:48 2012 -> Log file size limited to -1 bytes.
Mon Aug 20 15:47:48 2012 -> Reading databases from /var/clamav
Mon Aug 20 15:47:48 2012 -> Not loading PUA signatures.
Mon Aug 20 15:47:48 2012 -> Bytecode: Security mode set to "TrustSigned".
Mon Aug 20 15:47:51 2012 -> Loaded 1295058 signatures.
Mon Aug 20 15:47:51 2012 -> TCP: Bound to address 172.18.33.70 on port 3310
Mon Aug 20 15:47:51 2012 -> TCP: Setting connection queue length to 200
Mon Aug 20 15:47:51 2012 -> LOCAL: Removing stale socket file /var/run/clamav/clamd.sock
Mon Aug 20 15:47:51 2012 -> LOCAL: Unix socket file /var/run/clamav/clamd.sock
Mon Aug 20 15:47:51 2012 -> LOCAL: Setting connection queue length to 200
Mon Aug 20 15:47:51 2012 -> Limits: Global size limit set to 104857600 bytes.
Mon Aug 20 15:47:51 2012 -> Limits: File size limit set to 26214400 bytes.
Mon Aug 20 15:47:51 2012 -> Limits: Recursion level limit set to 16.
Mon Aug 20 15:47:51 2012 -> Limits: Files limit set to 10000.
Mon Aug 20 15:47:51 2012 -> Limits: Core-dump limit is 0.
Mon Aug 20 15:47:51 2012 -> Archive support enabled.
Mon Aug 20 15:47:51 2012 -> Algorithmic detection enabled.
Mon Aug 20 15:47:51 2012 -> Portable Executable support enabled.
Mon Aug 20 15:47:51 2012 -> ELF support enabled.
Mon Aug 20 15:47:51 2012 -> Detection of broken executables enabled.
Mon Aug 20 15:47:52 2012 -> Mail files support enabled.
Mon Aug 20 15:47:52 2012 -> OLE2 support enabled.
Mon Aug 20 15:47:52 2012 -> PDF support enabled.
Mon Aug 20 15:47:52 2012 -> HTML support enabled.
Mon Aug 20 15:47:52 2012 -> Self checking every 1200 seconds.
Mon Aug 20 15:47:52 2012 -> Listening daemon: PID: 2124
Mon Aug 20 15:47:52 2012 -> WARNING: MaxThreads * MaxRecursion is too high: 1600, open file descriptor limit is: 1024
Mon Aug 20 15:47:52 2012 -> WARNING: MaxQueue value too high, lowering to: 100
Mon Aug 20 15:47:52 2012 -> MaxQueue set to: 100

Regards,
Bill

Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster [at] MedPlus). After replying, please erase it from your computer system.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

draynor at sourcefire

Aug 22, 2012, 8:47 AM

Post #2 of 2 (503 views)
Permalink

Re: Time out under load [In reply to]

On Wed, Aug 22, 2012 at 10:14 AM, Binole, Bill <BBinole [at] medplus> wrote:

> We are seeing this error ERROR: ScanStream 31310: accept timeout. in our
> clamd log when we test calmd with a load. The failures happen when we
> have 10 simultaneous connections to clamd. We are stream scanning and are
> using libclamav-1.0 to construct our java client. I have seen old posts
> where stream scanning had issues but they were many years old. We are
> currently running clamd daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU:
> x86_64) . Startup of the daemon is below.
>
>
> Mon Aug 20 15:47:48 2012 -> +++ Started at Mon Aug 20 15:47:48 2012
> Mon Aug 20 15:47:48 2012 -> clamd daemon 0.97.4 (OS: linux-gnu, ARCH:
> x86_64, CPU: x86_64)
> Mon Aug 20 15:47:48 2012 -> Running as user clamav (UID 471, GID 441)
> Mon Aug 20 15:47:48 2012 -> Log file size limited to -1 bytes.
> Mon Aug 20 15:47:48 2012 -> Reading databases from /var/clamav
> Mon Aug 20 15:47:48 2012 -> Not loading PUA signatures.
> Mon Aug 20 15:47:48 2012 -> Bytecode: Security mode set to "TrustSigned".
> Mon Aug 20 15:47:51 2012 -> Loaded 1295058 signatures.
> Mon Aug 20 15:47:51 2012 -> TCP: Bound to address 172.18.33.70 on port 3310
> Mon Aug 20 15:47:51 2012 -> TCP: Setting connection queue length to 200
> Mon Aug 20 15:47:51 2012 -> LOCAL: Removing stale socket file
> /var/run/clamav/clamd.sock
> Mon Aug 20 15:47:51 2012 -> LOCAL: Unix socket file
> /var/run/clamav/clamd.sock
> Mon Aug 20 15:47:51 2012 -> LOCAL: Setting connection queue length to 200
> Mon Aug 20 15:47:51 2012 -> Limits: Global size limit set to 104857600
> bytes.
> Mon Aug 20 15:47:51 2012 -> Limits: File size limit set to 26214400 bytes.
> Mon Aug 20 15:47:51 2012 -> Limits: Recursion level limit set to 16.
> Mon Aug 20 15:47:51 2012 -> Limits: Files limit set to 10000.
> Mon Aug 20 15:47:51 2012 -> Limits: Core-dump limit is 0.
> Mon Aug 20 15:47:51 2012 -> Archive support enabled.
> Mon Aug 20 15:47:51 2012 -> Algorithmic detection enabled.
> Mon Aug 20 15:47:51 2012 -> Portable Executable support enabled.
> Mon Aug 20 15:47:51 2012 -> ELF support enabled.
> Mon Aug 20 15:47:51 2012 -> Detection of broken executables enabled.
> Mon Aug 20 15:47:52 2012 -> Mail files support enabled.
> Mon Aug 20 15:47:52 2012 -> OLE2 support enabled.
> Mon Aug 20 15:47:52 2012 -> PDF support enabled.
> Mon Aug 20 15:47:52 2012 -> HTML support enabled.
> Mon Aug 20 15:47:52 2012 -> Self checking every 1200 seconds.
> Mon Aug 20 15:47:52 2012 -> Listening daemon: PID: 2124
> Mon Aug 20 15:47:52 2012 -> WARNING: MaxThreads * MaxRecursion is too
> high: 1600, open file descriptor limit is: 1024
> Mon Aug 20 15:47:52 2012 -> WARNING: MaxQueue value too high, lowering to:
> 100
> Mon Aug 20 15:47:52 2012 -> MaxQueue set to: 100
>
> Regards,
> Bill
>
>
>
>
>
>
> Confidentiality Notice: The information contained in this electronic
> transmission is confidential and may be legally privileged. It is intended
> only for the addressee(s) named above. If you are not an intended
> recipient, be aware that any disclosure, copying, distribution or use of
> the information contained in this transmission is prohibited and may be
> unlawful. If you have received this transmission in error, please notify us
> by telephone (513) 229-5500 or by email (postmaster [at] MedPlus). After
> replying, please erase it from your computer system.
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

Bill,

The "accept timeout" here is a sign that a thread has spun up but is not
receiving anything. It is listening but no data appears for it to accept.
The number (31310) is the port that the thread was using. You can use that
to compare to logs of your client's behavior.

If you need to extend this timeout value to help debug your issue, the one
that is relevant here is the "CommandReadTimeout" setting in clamd.conf.
You can also check the "StreamMinPort" and "StreamMaxPort" values. From
your settings, it looks like you have set "MaxThreads" to 100.

Hope this helps,

Dave R.

--
---
Dave Raynor
Sourcefire Vulnerability Research Team
draynor [at] sourcefire
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads