That seems like a good approach to me.

First, we would want to change the order of operations a bit so we fork (both times) before loading the database. I'm pretty sure that as it is written now, it loads over 500MB worth of signature database content into RAM and then forks, temporarily resulting in over 1000MB of ram consumed until the parent process exits. That all seems doable though.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Sep 24, 2018, at 6:31 AM, Mark Fortescue <***@thurning-instruments.co.uk<mailto:***@thurning-instruments.co.uk>> wrote:

Hi Micah,

Can you not have a two part demon process. Part one fork's the real demon and then waits for it to die (with 'wait()').
On death of the child, it cleans up and exits. Yes I know it is not quite as simple as that. It will have to have signal handlers etc. to kill the child etc. and should also have logging.

It would have to be built into 'clamd' as 'clamd' should already be doing things to become a demon process and this additional 'fork' would need to be after all that has been done.

Regards
Mark.

On 21/09/18 09:49, Karl Pielorz wrote:


--On 20 September 2018 15:44 +0000 "Micah Snyder (micasnyd)"
<***@cisco.com<mailto:***@cisco.com>> wrote:

Clamd has a FixStaleSocket option that is default on.
FixStaleSocket will unlink the lingering stale socket and bind again if
it failed to bind when restarting clamd.

Hi, yeah - I saw that option.

I all ears if anyone knows of a better way to remove the stale socket on
death instead of on startup. As Ged Haywood suggested, your best option
may be to have an ad-hoc watchdog script monitor clamd and kill the
socket if clamd become unresponsive for too long.

Being simplistic, a sigsegv handler? :) [simplistic as it just fixes my
case ]

That said, if you figure out which file was killing clamd, I'd love to
have a sample so I can try to fix the bug. It would be very helpful.

I'd love to be able to do that - but the usual 'needle in a haystack',
and that fact it's very intermittent isn't helping us much (nor the fact
it gets delivered if it fails during the scan) - if I find it, you'll be
the 2nd person to know :) - I am still looking. I guess turning on
coredumps might provide some info captured to disk - I'll post anything
I find.

Thanks,

-Kp
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--On 24 September 2018 11:31 +0100 Mark Fortescue
Anything which fixes the issue (and this sounds like it would) gets my
vote. I think it's compounded by the fact that clamd doesn't offer up any
connection 'banner' or anything - i.e. for the local unix domain socket you
connect, and push data - that's it. It's not like you connect, wait for
'greeting' - then send data.

This also makes it hard to implement timeouts. I'm currently looking at
something that will check clamd is running, before the connect (i.e. PID
wise) - but that, or "running it from another script" are all kind of
band-aids - compared to something like the above...

fwiw - Hacking a sigsegv handler into it to remove the file, seemed to work
- but that's a very specific "hack", again, compared to the above (and
means we have to build from source + patch, not pkg on FreeBSD)

-Kp
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml