If I were debugging this I'd want to know if all the vm's run on the same or
different hosts, what the allocation of resources to each vm is, if different
hosts then what each host's base loads are for cpu, memory, and disk caching. If
you don't own the hosts this can be difficult. Then I'd compare the output of
sysctl -a on each vm to see if something jumps out. Check sar reports, lsof, and
other tools to check ram usage and disk iowaits, and how much free memory is
available for caching. There's more to it, of course, but this provides a good
foundation for comparison.
dp
On 12/28/17 5:03 AM, Thorsten Schöning wrote:
Hi all,
I have some problem with ClamAV for some months now and would like to
get some attention on a question I already asked on superuser.com[1]
and ask some additional ones to try to better understand the problem.
In the end, my problem breaks down to the fact that ClamAV startup or
reload because of new signatures takes different time and CPU load on
the same physical host, but in different VMs. The VMs are Ubuntu 14.04
and 16.04 LTS Servers and in only one of those I have the problem,
while the version of ClamAV is all the same 0.99.2 and all use the
same version b2f0b9ba2019d6293c0fefe142d7265592842157 of unofficial
sigs with the the same sigs.
In all but one VMs startup/reload is pretty fast and takes less than a
minute always, in the one exception it never takes less than a minute,
but instead 2-5 or in very bad cases it even takes 7-10 minutes.
Additionally, in those very bad cases an enormous load is created in
the VM with very high CPU load on all cores and everything is pretty
slow. Even a simple SSH connection and using "mc" in the terminal with
the cursor keys. In htop it looks like all actively running processes
accumulate, regardless how CPU intensive they really are "normally".
In those cases I have a lot of context switches in the physical host,
~500'000, far less in the VM, ~10'000, and practically no I/O in the
VM or host.
So here are my questions:
1. Does clamd scan memory during startup and/or restart?[1] The
problem seems to occur less with less committed memory in the VM.
2. If memory is scanned, which? Does that depend on the user ClamAV is
running or the users other services are running under? I couldn't
reproduce the problem with only e.g. cached file content or large
open logs as root.
3. Does ClamAV use more than one CPU core during startup/reload?
Because if my problem occurs, htop shows a load of more than 100%
for the ClamAV process, sometimes up to 500.
4. Is there any situation in which more CPU cores are known to lower
performance of startup/reload?
5. What should be most likely the bottleneck during startup/reload,
available time on one CPU core or I/O to read sigs? I don't seem to
have any reasonable I/O when the high CPU load occurs.
6. Are there any "benchmarks" available how long startup/reload takes
on other CPUs, so I could compare my times?
Thanks for your answers!
[1]:
https://superuser.com/questions/1208220/does-clamd-scan-memory-during-startup-and-or-restart
Mit freundlichen Grüßen,
Thorsten Schöning
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
