Hi,
Got a little problem.
I've noticed that sometimes clamd is restarted by monit (monitoring
software).
monit is configured like this:
check process clamd with pidfile /var/lib/clamav/clamd.pid
start program = "/etc/init.d/clamd start"
stop program = "/etc/init.d/clamd stop"
if failed host 127.0.0.1 port 3310 type tcp proto clamav then restart
monit checks that the process clamd is running, that it listens on port
3310 on localhost and does a clamav protocol check.
The test is as follows, this is in C, code from latest monit 4.8.2:
/**
* Send PING and check for PONG.
* If alive return TRUE, else, return FALSE.
*
* @author Debrard Sébastien <[EMAIL PROTECTED]>
*
* @version \$Id: clamav.c,v 1.1 2006/08/25 16:28:33 hauk Exp $
*
* @file
*/
int check_clamav(Socket_T s) {
char buf[STRLEN];
const char *ok= "PONG";
ASSERT(s);
if(socket_print(s, "PING\r\n") < 0) {
LogError("CLAMAV: error sending data -- %s\n", STRERROR);
return FALSE;
}
if(!socket_readln(s, buf, sizeof(buf))) {
LogError("CLAMAV: error receiving data -- %s\n", STRERROR);
return FALSE;
}
Util_chomp(buf);
if(strncasecmp(buf, ok, strlen(ok)) != 0) {
LogError("CLAMAV error: %s\n", buf);
return FALSE;
}
return TRUE;
}
I was alerted by monit that at "Wed, 24 Jan 2007 16:38:10 +0200 on mail
'clamd' failed protocol test [CLAMAV] at INET[127.0.0.1:3310] via TCP"
and clamd was restarted. So I checked the logs as why this check failed,
from maillog:
...
Jan 24 16:37:27 mail freshclam[3477]: Clamd successfully notified about
the update.
Jan 24 16:37:27 mail freshclam[3477]: --------------------------------------
Jan 24 16:38:04 mail clamd[3092]: Reading databases from /var/lib/clamav
... the following line was added by me manually:
Jan 24 16:38:10 mail 'clamd' failed protocol test [CLAMAV] at
INET[127.0.0.1:3310] via TCP
Jan 24 16:38:17 mail clamd[21035]: Daemon started.
Jan 24 16:38:17 mail clamd[21035]: clamd daemon 0.88.7 (OS: linux-gnu,
ARCH: i386, CPU: i686)
...
So there was an update, freshclam notfied clamd and while clamd was
updating itself monit checked clamd, didn't get the expected result
(PONG) and restarted clamd.
While updating the virus database, clamd still listens on port 3310, but
does not return a PONG, correct? If so, what does it return if at all?
It be nice if we could update the monit clamav check to be compatible
with this situation. I or anybody else then can inform the monit
developers about this problem and the solution for it.
So the big question:
How does clamav answer to a PING while updating/loading the virus db?
or
How do we detect, that clamd is not dead, but simply updating it's database?
For now, I'll simply disable the clamav protocol test and stick with
only checking the INET socket. But that's a workaround, not a solution.
Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
