1 Topic by bjorne

  • bjorne
  • Member
  • Offline
  • Registered: 2018-05-27
  • Posts: 9

Topic: CentOS 7-1908 ClamAV high cpu load 100%

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9 OPENLDAP edition and 1.0-beta2 OPENLDAP edition
- Deployed with iRedMail downloadable installer?
- Linux/BSD distribution name and version:  CentOS 7-1908 lastest
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? yes and before upgrade to iredadmin-pro
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi.

I have see this clamav make a high cpuloads on my iredmail server, i have try to install a new server and the old one.
and google on it and everybody say memory and i have 4gb memory and i run it under vm in xenserver 8.

and have try diffrent things and nothings helps, i don't want to disable spam/virus check sad

and clam is not coming so long so that make socks file.

looks like this in top command:
  2813 amavis    20   0  519016 410708   3276 R 100.0 10.2   0:38.65 clamd

Oct 23 22:47:34 mail amavis[2115]: Using primary internal av scanner code for clamav-socket
Oct 23 22:47:34 mail amavis[2115]: Found secondary av scanner clamav-clamscan at /usr/bin/clamscan
Oct 23 22:47:38 mail amavis[2284]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: POST / HTTP/1.1\r\n
Oct 23 22:47:38 mail amavis[2284]: (!!)policy_server FAILED: Missing 'request' field at (eval 127) line 197, <GEN21> line 7.
Oct 23 22:47:39 mail amavis[2285]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: POST / HTTP/1.1\r\n
Oct 23 22:47:39 mail amavis[2285]: (!!)policy_server FAILED: Missing 'request' field at (eval 127) line 197, <GEN21> line 7.
Oct 23 22:47:40 mail amavis[2284]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: [{"version": "1.1", "params": [], "id": 0, "method": "getmempoolinfo"}, {"version": "1.1", "params": [], "id": 1, "method": "getnetworkinfo"}, {"version": "1.1", "params": [], "id": 2, "method": "getblockchaininfo"}, {"version": "1
.1", "params": [], "id": 3, "method": "getmemoryinfo"}, {"version": "1.1", "params": [], "id": 4, "method": "gettxoutsetinfo"}]
Oct 23 22:47:40 mail amavis[2285]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: [{"version": "1.1", "params": [], "id": 0, "method": "getmempoolinfo"}, {"version": "1.1", "params": [], "id": 1, "method": "getnetworkinfo"}, {"version": "1.1", "params": [], "id": 2, "method": "getblockchaininfo"}, {"version": "1
.1", "params": [], "id": 3, "method": "getmemoryinfo"}, {"version": "1.1", "params": [], "id": 4, "method": "gettxoutsetinfo"}]
Oct 23 22:48:52 mail clamd[2393]: Received 0 file descriptor(s) from systemd.
Oct 23 22:48:52 mail clamd[2393]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Oct 23 22:48:52 mail clamd[2393]: Running as user amavis (UID 990, GID 987)
Oct 23 22:48:52 mail clamd[2393]: Log file size limited to 1048576 bytes.
Oct 23 22:48:52 mail clamd[2393]: Reading databases from /var/lib/clamav
Oct 23 22:48:52 mail clamd[2393]: Not loading PUA signatures.
Oct 23 22:48:52 mail clamd[2393]: Bytecode: Security mode set to "TrustSigned".
Oct 23 22:50:23 mail clamd[2455]: Received 0 file descriptor(s) from systemd.
Oct 23 22:50:23 mail clamd[2455]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Oct 23 22:50:23 mail clamd[2455]: Running as user amavis (UID 990, GID 987)
Oct 23 22:50:23 mail clamd[2455]: Log file size limited to 1048576 bytes.
Oct 23 22:50:23 mail clamd[2455]: Reading databases from /var/lib/clamav
Oct 23 22:50:23 mail clamd[2455]: Not loading PUA signatures.
Oct 23 22:50:23 mail clamd[2455]: Bytecode: Security mode set to "TrustSigned".

So what should i do for fix it?
if you need some more information tell me.. so i fix it.

best regards bjorne j.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by bjorne

  • bjorne
  • Member
  • Offline
  • Registered: 2018-05-27
  • Posts: 9

Re: CentOS 7-1908 ClamAV high cpu load 100%

in /var/log/message:
Oct 24 05:35:01 mail systemd: Created slice User Slice of sogo.
Oct 24 05:35:01 mail systemd: Started Session 458 of user sogo.
Oct 24 05:35:02 mail systemd: Removed slice User Slice of sogo.
Oct 24 05:36:01 mail systemd: Created slice User Slice of sogo.
Oct 24 05:36:01 mail systemd: Started Session 459 of user sogo.
Oct 24 05:36:01 mail systemd: Removed slice User Slice of sogo.
Oct 24 05:36:04 mail systemd: clamd@amavisd.service start operation timed out. Terminating.
Oct 24 05:36:04 mail systemd: Failed to start clamd scanner (amavisd) daemon.
Oct 24 05:36:04 mail systemd: Unit clamd@amavisd.service entered failed state.
Oct 24 05:36:04 mail systemd: clamd@amavisd.service failed.
Oct 24 05:36:04 mail systemd: clamd@amavisd.service holdoff time over, scheduling restart.
Oct 24 05:36:04 mail systemd: Stopped clamd scanner (amavisd) daemon.
Oct 24 05:36:04 mail systemd: Starting clamd scanner (amavisd) daemon...
Oct 24 05:36:04 mail clamd: WARNING: Ignoring deprecated option AllowSupplementaryGroups at /etc/clamd.d/amavisd.conf:21
Oct 24 05:37:01 mail systemd: Created slice User Slice of sogo.
Oct 24 05:37:01 mail systemd: Started Session 460 of user sogo.
Oct 24 05:37:02 mail systemd: Removed slice User Slice of sogo.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: CentOS 7-1908 ClamAV high cpu load 100%

How much concurrently processed mails do you set in Amavisd and Postfix? Try to reduce it by following our tutorial here:
https://docs.iredmail.org/concurrent.processing.html

With 4GB memory, set the concurrent number to 2 will be better.

4 Reply by bjorne

  • bjorne
  • Member
  • Offline
  • Registered: 2018-05-27
  • Posts: 9

Re: CentOS 7-1908 ClamAV high cpu load 100%

I have 10 and have try to take down to 4 also and same, in 0.9.9 that is 10 and new install of 1.0 and unchange direct after install same issue and that have 4 like default.

best regards bjorne

5 Reply by bjorne (edited by bjorne 2019-10-24 18:45:49)

  • bjorne
  • Member
  • Offline
  • Registered: 2018-05-27
  • Posts: 9

Re: CentOS 7-1908 ClamAV high cpu load 100%

I take it down to 2 and same issues high cpu load 100%

best regards bjorne

6 Reply by bjorne

  • bjorne
  • Member
  • Offline
  • Registered: 2018-05-27
  • Posts: 9

Re: CentOS 7-1908 ClamAV high cpu load 100%

I have give 16gb memory same issue and 2 processes.

best regards bjorne

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: CentOS 7-1908 ClamAV high cpu load 100%

Try this:

- remove all existing clamav virus signature database files under /var/lib/clamav/
- run "freshclam --debug" to fetch/update them
- restart clamd service

Note: please pay some attention to the program names in top, is it "clamd" or "clamscan" that takes 100% CPU load?

clamscan is a command line scanner, it always use high CPU because it loads the signature database every time it starts. We need to make sure "clamd" daemon is running and it takes far more less system resource because it loads the database once at daemon start, and use it for all further requests.

8 Reply by Bronko (edited by Bronko 2019-11-19 21:04:17)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

Hi, same here on my server since update CentOS 7.6 -> 7.7

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: CentOS Linux release 7.7.1908 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? no
- Related log if you're reporting an issue: /var/log/maillog
====

- stopped services 'amavisd' and 'clamd@amavisd.service*
- removed all files in /var/lib/clamav/
- run "freshclam --debug" 

# freshclam --debug
ClamAV update process started at Mon Nov 18 22:07:11 2019
Downloading main.cvd [100%]
LibClamAV debug: Initialized 0.101.4 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 57462fd73f1cfdb356b9dca66da2b732
LibClamAV debug: cli_versig: Decoded signature: 57462fd73f1cfdb356b9dca66da2b732
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: main.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
ERROR: During database load : LibClamAV debug: Initialized 0.101.4 engine [...] LibClamAV debug: Phishcheck cleaned up
WARNING: Database successfully loaded, but there is stderr output
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
LibClamAV debug: Initialized 0.101.4 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = d4a13f97a4aa09ebb26669622e46d49e
LibClamAV debug: cli_versig: Decoded signature: d4a13f97a4aa09ebb26669622e46d49e
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
ERROR: During database load : LibClamAV debug: Initialized 0.101.4 engine [...] LibClamAV debug: Phishcheck cleaned up
WARNING: Database successfully loaded, but there is stderr output
daily.cvd updated (version: 25637, sigs: 1996475, f-level: 63, builder: raynman)
Downloading bytecode.cvd [100%]
LibClamAV debug: Initialized 0.101.4 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 07b42b8527b2c82d7236bbc32458e245
LibClamAV debug: cli_versig: Decoded signature: 07b42b8527b2c82d7236bbc32458e245
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: bytecode.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
ERROR: During database load : LibClamAV debug: Initialized 0.101.4 engine [...] LibClamAV debug: Phishcheck cleaned up
WARNING: Database successfully loaded, but there is stderr output
bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
LibClamAV debug: Initialized 0.101.4 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 57462fd73f1cfdb356b9dca66da2b732
LibClamAV debug: cli_versig: Decoded signature: 57462fd73f1cfdb356b9dca66da2b732
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: main.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
LibClamAV debug: Initialized 0.101.4 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = d4a13f97a4aa09ebb26669622e46d49e
LibClamAV debug: cli_versig: Decoded signature: d4a13f97a4aa09ebb26669622e46d49e
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
LibClamAV debug: Initialized 0.101.4 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 07b42b8527b2c82d7236bbc32458e245
LibClamAV debug: cli_versig: Decoded signature: 07b42b8527b2c82d7236bbc32458e245
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: bytecode.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
Database updated (6562818 signatures) from database.clamav.net (IP: 104.16.218.84)

All new files in place now:

# ls -lah /var/lib/clamav/
total 164M
drwxr-xr-x   2 clamupdate clamupdate   78 Nov 18 22:10 .
drwxr-xr-x. 42 root       root       4.0K Nov 18 22:02 ..
-rw-r--r--   1 clamupdate clamupdate 290K Nov 18 22:10 bytecode.cvd
-rw-r--r--   1 clamupdate clamupdate  52M Nov 18 22:07 daily.cvd
-rw-r--r--   1 clamupdate clamupdate 113M Nov 18 22:07 main.cvd
-rw-------   1 clamupdate clamupdate   64 Nov 18 22:10 mirrors.dat

Server rebooted afterwards and same as before. Screenshot directly after reboot.
(Please check post below)

https://i.ibb.co/f9KNzR3/WPAah6k.png


Any hints for me?

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: CentOS 7-1908 ClamAV high cpu load 100%

The process is "clamscan", not "clamd".

- clamd is a daemon and amavisd talks to it via a unix socket. It loads files under /var/lib/clamav/ when it starts, then scan emails with loaded files.
- clamscan is a one-shot command, it loads all files under /var/lib/clamav/ each time it launches, so it takes long time and causes high CPU usage.

Try this:

- stop amavisd and clamd@amavisd services first
- wait for clamscan to finish (or kill them if you don't want to wait)
- start clamd@amavisd. Make sure clamd socket path exists.
- start amavisd service.

btw, how much RAM does this server have?

10 Reply by Bronko (edited by Bronko 2019-11-19 17:35:33)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

Thanks for your reply.

This is what htop is showing after some hours of rebooting, mostly clamd is consuming CPU load.
(Screenshot above shows directly after reboot)

https://i.ibb.co/883rmCr/Screenshot-from-2019-11-19-07-55-10.png

As you can see, server has 6GB of RAM.

Ok, exactly did what you proposed:

# systemctl stop amavisd
# systemctl stop clamd@amavisd.service
# systemctl start clamd@amavisd.service
Job for clamd@amavisd.service failed because a timeout was exceeded. See "systemctl status clamd@amavisd.service" and "journalctl -xe" for details.

# systemctl status clamd@amavisd.service
● clamd@amavisd.service - clamd scanner (amavisd) daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled)
   Active: activating (start) since Di 2019-11-19 08:06:49 CET; 25s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Control: 10071 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@amavisd.service
           └─10071 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf

Nov 19 08:06:49 server.domain systemd[1]: Starting clamd scanner (amavisd) daemon...
Nov 19 08:06:49 server.domain clamd[10071]: Received 0 file descriptor(s) from systemd.
Nov 19 08:06:49 server.domain clamd[10071]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Nov 19 08:06:49 server.domain clamd[10071]: Running as user amavis (UID 992, GID 990)
Nov 19 08:06:49 server.domain clamd[10071]: Log file size limited to 1048576 bytes.
Nov 19 08:06:49 server.domain clamd[10071]: Reading databases from /var/lib/clamav
Nov 19 08:06:49 server.domain clamd[10071]: Not loading PUA signatures.
Nov 19 08:06:49 server.domain clamd[10071]: Bytecode: Security mode set to "TrustSigned".
# netstat --listen |grep clamd
# netstat --listen |grep amavis
unix  2      [ ACC ]     STREAM     LISTENING     21417    private/smtp-amavis
# systemctl start amavisd
# netstat --listen |grep amavis
unix  2      [ ACC ]     STREAM     LISTENING     21417    private/smtp-amavis
unix  2      [ ACC ]     STREAM     LISTENING     134568   /var/run/amavisd/amavisd.sock

Let's check amavisd.conf:

# cat /etc/clamd.d/amavisd.conf
# Use system logger.
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
LogFacility LOG_MAIL

# This option allows you to save a process identifier of the listening
# daemon (main thread).
PidFile /var/run/clamd.amavisd/clamd.pid

# Remove stale socket after unclean shutdown.
# Default: disabled
FixStaleSocket yes

# Run as a selected user (clamd must be started by root).
User amavis

# Path to a local socket file the daemon will listen on.
LocalSocket /var/run/clamd.amavisd/clamd.socket
# ls -la /var/run/clamd.amavisd/
total 0
drwxrwx---  2 amavis clamupdate   40 18. Nov 23:36 .
drwxr-xr-x 38 root   root       1040 19. Nov 08:12 ..

No clamd socket exists.

maillog:


Nov 19 09:04:51 post amavis[10321]: (10321-01) (!)connect to /var/run/clamd.amavisd/clamd.socket failed, attempt #1: Can't connect to a UNIX socket /var/run/clamd.amavisd/clamd.socket: No such file or directory
Nov 19 09:04:51 post amavis[10320]: (10320-01) (!)connect to /var/run/clamd.amavisd/clamd.socket failed, attempt #1: Can't connect to a UNIX socket /var/run/clamd.amavisd/clamd.socket: No such file or directory
Nov 19 09:04:52 post amavis[10321]: (10321-01) (!)connect to /var/run/clamd.amavisd/clamd.socket failed, attempt #1: Can't connect to a UNIX socket /var/run/clamd.amavisd/clamd.socket: No such file or directory
Nov 19 09:04:52 post amavis[10321]: (10321-01) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamd.amavisd/clamd.socket, retrying (2)
Nov 19 09:04:52 post amavis[10320]: (10320-01) (!)connect to /var/run/clamd.amavisd/clamd.socket failed, attempt #1: Can't connect to a UNIX socket /var/run/clamd.amavisd/clamd.socket: No such file or directory
Nov 19 09:04:52 post amavis[10320]: (10320-01) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamd.amavisd/clamd.socket, retrying (2)
Nov 19 09:04:58 post amavis[10321]: (10321-01) (!)connect to /var/run/clamd.amavisd/clamd.socket failed, attempt #1: Can't connect to a UNIX socket /var/run/clamd.amavisd/clamd.socket: No such file or directory
Nov 19 09:04:58 post amavis[10321]: (10321-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamd.amavisd/clamd.socket (All attempts (1) failed connecting to /var/run/clamd.amavisd/clamd.socket) at (eval 135) line 659.\n

My server is running since 4 years in these setup and was going through all CentOS updates. As mentioned before, this issue was raising up by last major update 7.6 -> 7.7


Do you have further assistance for me?

Found same issue here but no solution...

11 Reply by Bronko (edited by Bronko 2019-11-20 03:04:42)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

It seems I found the solution here. Thanks to centos.org/forums

The post is regarding to slow CPUs on a slow VPS, like my instance on VPS provider.

The default time out for 'clamd@.service' seems to be to low:
(10s only?):

maillog:

Nov 19 10:00:05 post clamd[11938]: Received 0 file descriptor(s) from systemd.
Nov 19 10:00:05 post clamd[11938]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Nov 19 10:00:05 post clamd[11938]: Running as user amavis (UID 992, GID 990)
Nov 19 10:00:05 post clamd[11938]: Log file size limited to 1048576 bytes.
Nov 19 10:00:05 post clamd[11938]: Reading databases from /var/lib/clamav
Nov 19 10:00:05 post clamd[11938]: Not loading PUA signatures.
Nov 19 10:00:05 post clamd[11938]: Bytecode: Security mode set to "TrustSigned".
Nov 19 10:00:16 post amavis[10321]: (10321-02) (!)terminating process [11867] running ClamAV-clamscan (reason: on reading: timed out)
Nov 19 10:00:17 post amavis[10321]: (10321-02) (!)process [11867] running ClamAV-clamscan is still alive, using a bigger hammer (SIGKILL)
Nov 19 10:00:17 post amavis[10321]: (10321-02) (!)run_av (ClamAV-clamscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 5115.
Nov 19 10:00:17 post amavis[10321]: (10321-02) (!)ClamAV-clamscan av-scanner FAILED: run_av error: Exceeded allowed time\n
Nov 19 10:00:17 post amavis[10321]: (10321-02) (!!)AV: ALL VIRUS SCANNERS FAILED

Added new 'TimeoutSec = 180' value to service file:

# cat  /usr/lib/systemd/system/clamd@.service 
[Unit]
Description = clamd scanner (%i) daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
# Check for database existence
# ConditionPathExistsGlob=@DBDIR@/main.{c[vl]d,inc}
# ConditionPathExistsGlob=@DBDIR@/daily.{c[vl]d,inc}
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf
Restart = on-failure
TimeoutSec = 180
# systemctl daemon-reload
# systemctl start clamd@amavisd.service

maillog:

Nov 19 10:29:14 post clamd[12611]: Received 0 file descriptor(s) from systemd.
Nov 19 10:29:14 post clamd[12611]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Nov 19 10:29:14 post clamd[12611]: Running as user amavis (UID 992, GID 990)
Nov 19 10:29:14 post clamd[12611]: Log file size limited to 1048576 bytes.
Nov 19 10:29:14 post clamd[12611]: Reading databases from /var/lib/clamav
Nov 19 10:29:14 post clamd[12611]: Not loading PUA signatures.
Nov 19 10:29:14 post clamd[12611]: Bytecode: Security mode set to "TrustSigned".
Nov 19 10:31:56 post clamd[12611]: Loaded 6551688 signatures.
Nov 19 10:31:59 post clamd[12611]: LOCAL: Unix socket file /var/run/clamd.amavisd/clamd.socket
Nov 19 10:31:59 post clamd[12611]: LOCAL: Setting connection queue length to 200
Nov 19 10:31:59 post clamd[12665]: Limits: Global time limit set to 120000 milliseconds.
Nov 19 10:31:59 post clamd[12665]: Limits: Global size limit set to 104857600 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: File size limit set to 26214400 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: Recursion level limit set to 16.
Nov 19 10:31:59 post clamd[12665]: Limits: Files limit set to 10000.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxPartitions limit set to 50.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxIconsPE limit set to 100.
Nov 19 10:31:59 post clamd[12665]: Limits: MaxRecHWP3 limit set to 16.
Nov 19 10:31:59 post clamd[12665]: Limits: PCREMatchLimit limit set to 100000.
Nov 19 10:31:59 post clamd[12665]: Limits: PCRERecMatchLimit limit set to 2000.
Nov 19 10:31:59 post clamd[12665]: Limits: PCREMaxFileSize limit set to 26214400.
Nov 19 10:31:59 post clamd[12665]: Archive support enabled.
Nov 19 10:31:59 post clamd[12665]: AlertExceedsMax heuristic detection disabled.
Nov 19 10:31:59 post clamd[12665]: Heuristic alerts enabled.
Nov 19 10:31:59 post clamd[12665]: Portable Executable support enabled.
Nov 19 10:31:59 post clamd[12665]: ELF support enabled.
Nov 19 10:31:59 post clamd[12665]: Mail files support enabled.
Nov 19 10:31:59 post clamd[12665]: OLE2 support enabled.
Nov 19 10:31:59 post clamd[12665]: PDF support enabled.
Nov 19 10:31:59 post clamd[12665]: SWF support enabled.
Nov 19 10:31:59 post clamd[12665]: HTML support enabled.
Nov 19 10:31:59 post clamd[12665]: XMLDOCS support enabled.
Nov 19 10:31:59 post clamd[12665]: HWP3 support enabled.
Nov 19 10:31:59 post clamd[12665]: Self checking every 600 seconds.

Wow, we need 162s to load 6551688 signatures...

For now socket is created:

# ls -la /var/run/clamd.amavisd/
total 4
drwxrwx---  2 amavis clamupdate   80 19. Nov 10:31 .
drwxr-xr-x 38 root   root       1040 19. Nov 11:07 ..
-rw-rw-r--  1 amavis amavis        6 19. Nov 10:31 clamd.pid
srw-rw-rw-  1 amavis amavis        0 19. Nov 10:31 clamd.socket

And everything runs like a charm.
May be it is a good idea to increase the 'TimeoutSec' value since 162s is a little bit to sharp on 180s.

Hope it will help everybody running in same issue to post it here in copy too.

12 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

@ZhangHuangbin

What do you think about last post in thread from above regarding to:

Maybe I'm missing something, but these tutorials all seem to over-complicate this - amavisd calls clam on demand I believe, rather than having it run all of the time. Are there advantages to having clamd run constantly?

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: CentOS 7-1908 ClamAV high cpu load 100%

Bronko wrote:

What do you think about last post in thread from above regarding to:

Maybe I'm missing something, but these tutorials all seem to over-complicate this - amavisd calls clam on demand I believe, rather than having it run all of the time. Are there advantages to having clamd run constantly?

I answered in my FIRST reply (to your question) in this thread.
https://forum.iredmail.org/post71618.html#p71618

14 Reply by Bronko (edited by Bronko 2019-11-19 21:47:10)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

ZhangHuangbin wrote:

I answered in my FIRST reply (to your question) in this thread.
https://forum.iredmail.org/post71618.html#p71618

For sure, you explained normal behavior, but come on, after over 10 years of joining your project, the post from centos.org/forums assumed to handle clamav environment a little bit simpler...

Is it possible and much more interesting, what do you mean about this time critical circumstances?
May be there are a lot of people running own mail server inside a VPS solution and why it takes effect after upgrade 7.6 -> 7.7 (talking to myself here ;-)

15 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: CentOS 7-1908 ClamAV high cpu load 100%

Bronko wrote:

May be it is a good idea to increase the 'TimeoutSec' value since 162s is a little bit to sharp on 180s.

Fixed in iRedMail moment ago. This was fixed in iRedMail Easy weeks ago but forgot to backport to iRedMail.
Thanks for the feedback.

Bronko wrote:

May be there are a lot of people running own mail server inside a VPS solution and why it takes effect after upgrade 7.6 -> 7.7 (talking to myself here ;-)

I didn't dive into the issue of failure after upgraded to 7.7, sorry.

16 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

ZhangHuangbin wrote:
Bronko wrote:

May be it is a good idea to increase the 'TimeoutSec' value since 162s is a little bit to sharp on 180s.

Fixed in iRedMail moment ago. This was fixed in iRedMail Easy weeks ago but forgot to backport to iRedMail.
Thanks for the feedback.

For my iredmail-release 0.9.7 setup the 'TimeoutSec' value wasn't in place and the 162s to 180s relation more is owed to my special VPS resources and circumstances. Finally I set  'TimeoutSec=200'

ZhangHuangbin wrote:
Bronko wrote:

May be there are a lot of people running own mail server inside a VPS solution and why it takes effect after upgrade 7.6 -> 7.7 (talking to myself here ;-)

I didn't dive into the issue of failure after upgraded to 7.7, sorry.

Certainly, that's what the community's for.
Thanks for all.

17 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: CentOS 7-1908 ClamAV high cpu load 100%

Bronko wrote:

For my iredmail-release 0.9.7 setup the 'TimeoutSec' value wasn't in place and the 162s to 180s relation more is owed to my special VPS resources and circumstances. Finally I set  'TimeoutSec=200'

You should create /etc/systemd/system/clamd@amavisd.service.d/override.conf and add below 2 lines in it:

[Service]
TimeoutSec = 600

18 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: CentOS 7-1908 ClamAV high cpu load 100%

ZhangHuangbin wrote:

You should create /etc/systemd/system/clamd@amavisd.service.d/override.conf and add below 2 lines in it:

[Service]
TimeoutSec = 600

Thanks, switched over to your proposal, much more cleaner and transparent.