freshclam spinning off zombie procs

ericx

ericx

On the face of it, I'm not overly concerned; but since the last upgrade of clamav (0.96.5), freshclam has been generating zombie processes (roughly one per day). Eventually enough accrue that Nagios notices. Restarting the freshclam daemon clears everything out. The only clue I have is from /var/log/clamav/freshclam.log:

Code: 
 ** ericx@olivia ** ~ ** Fri Dec 10 10:13:38
$ grep -i warning /var/log/clamav/freshclam.log
      ...
Wed Dec  8 20:53:06 2010 -> WARNING: waitpid() failed: Interrupted system call
Thu Dec  9 00:53:07 2010 -> WARNING: waitpid() failed: Interrupted system call
Thu Dec  9 20:53:10 2010 -> WARNING: waitpid() failed: Interrupted system call
Fri Dec 10 00:53:12 2010 -> WARNING: waitpid() failed: Interrupted system call

This is happening on 6 or seven servers most of which are running some variant of 8.1-RELEASE.

Anyone seen this before?
 
Same problem here.

On 6.2-RELEASE and 6.3-RELEASE with ClamAV 0.96.5

Thanks nagios for detecting the zombies.

Code: 
Mon Dec 13 05:48:29 2010 -> Downloading safebrowsing-25858.cdiff [100%]
Mon Dec 13 05:48:46 2010 -> WARNING: waitpid() failed: Interrupted system call
Mon Dec 13 05:48:46 2010 -> safebrowsing.cld updated (version: 25858, sigs: 943340, f-level: 58, builder: google)
 
Hello ,

On non-production server I don't have any troubles

Code: 
clamav-0.96.5 
FreeBSD 9.0-CURRENT i386

I have to upgrade from 0.96.3 on some amd64 these days , and I'll update my post with result
 
work around

I have this consistently setting off alarms on 4 machines. The most obvious common item between these machines is myself; so more then likely it's something I've done.

As a work'around, I wrote a quick and dirty daily periodic to restart freshclam: http://pastie.org/1378045
 
From the ClamAV-Users list:
http://comments.gmane.org/gmane.comp.security.virus.clamav.user/35922

I'm seeing it as well on 8.1 using Clamav 0.96.5


Code: 
Received signal: wake up
ClamAV update process started at Tue Dec 14 19:30:23 2010
main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-12391.cdiff [100%]
WARNING: waitpid() failed: Interrupted system call
daily.cld updated (version: 12391, sigs: 11170, f-level: 58, builder: arnaud)
bytecode.cld is up to date (version: 95, sigs: 19, f-level: 58, builder: edwin)
Database updated (857403 signatures) from database.clamav.net (IP: 168.143.19.95)
Clamd successfully notified about the update.

Like Ericx, I've set up a cron to restart freshclam periodically.
 
Hello,

After 2 days on test PC I started to notice same warning in the log

Code: 
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-12391.cdiff [100%]
WARNING: waitpid() failed: Interrupted system call
daily.cld updated (version: 12391, sigs: 11170, f-level: 58, builder: arnaud)

A workaround also can be "to get the status from all child processes that have terminated, without ever waiting"

I tested with some changes in /usr/ports/security/clamav/work/clamav-0.96.5/freshclam/manager.c by setting WNOHANG option

Code: 
Received signal: wake up
Max retries == 3
ClamAV update process started at Wed Dec 15 11:01:37 2010
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.96.5
main.cvd version from DNS: 53
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd version from DNS: 12391
daily.cld is up to date (version: 12391, sigs: 11170, f-level: 58, builder: arnaud)
bytecode.cvd version from DNS: 95
bytecode.cld is up to date (version: 95, sigs: 19, f-level: 58, builder: edwin)
 
I bow to your superior fu. Would you please post the patch when you are comfortable with it?
 
ericx said:
I bow to your superior fu. Would you please post the patch when you are comfortable with it?
Click to expand...

Hello , didn't post it because it is the opposite ( and may be not correct ? but it works for me ) from the current behaviour ( and it seems the warning were generated because of error in loading new database ) .

Anyway , I'll try the fixed version
 
You must log in or register to reply here.
Back
Top