Centos

為什麼 Clam 防病毒守護程序不會以無法分配記憶體錯誤啟動?

  • June 6, 2018

/etc/init.d/clamd start

錯誤:

[FAILED] log gives ERROR: daemonize() failed: Cannot Allocate Memory

Cent OS

total Mem: 510876kb

/etc/init.d/clamd start

/var/log/clamav

ERROR: daemonize() failed: Cannot Allocate Memory?

這是一個可以解決的問題嗎?

我以為Clamd只需要20 - 40 mb

Memory Free: 273844k

strace 的結果:

waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0) = 1658
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, 0xbff84a2c, WNOHANG)        = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {SIG_DFL, [], 0}, {0x80810f0, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
read(255, "", 1694)                     = 0
exit_group(1)                           = ?

strace -f 的結果:

strace -f -o /tmp/clamd.txt service clamd start

幾乎相同,我在尋找某種錯誤嗎?

我也遇到過同樣的問題,發現像這個人一樣saslauthd佔用了很多記憶體。

問題可能是記憶體洩漏,此處描述了可能的修復方法:https ://www.howtoforge.com/community/threads/saslauthd-memory-leak-fix.52750/

嘗試了修復,但我無法確認,因為問題(如果仍然存在)不會在幾週後出現。

我也遇到了同樣的問題。

我觀察到它clamd在記憶體中一次又一次地增長,然後因錯誤而崩潰:

Jun  6 08:08:32 <server> clamd[5086]: Received 0 file descriptor(s) from systemd.
Jun  6 08:08:32 <server> clamd[5086]: clamd daemon 0.99.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jun  6 08:08:32 <server> clamd[5086]: Running as user clamupdate (UID 992, GID 990)
Jun  6 08:08:32 <server> clamd[5086]: Log file size limited to 1048576 bytes.
Jun  6 08:08:32 <server> clamd[5086]: Reading databases from /var/lib/clamav
Jun  6 08:08:32 <server> clamd[5086]: Not loading PUA signatures.
Jun  6 08:08:32 <server> clamd[5086]: Bytecode: Security mode set to "TrustSigned".
Jun  6 08:08:46 <server> clamd[5086]: Loaded 6538218 signatures.
Jun  6 08:08:48 <server> clamd[5086]: LOCAL: Unix socket file /var/run/clamd/clamd.sock
Jun  6 08:08:48 <server> clamd[5086]: LOCAL: Setting connection queue length to 4
Jun  6 08:08:48 <server> clamd[5086]: daemonize() failed: Cannot allocate memory
Jun  6 08:08:48 <server> clamd[5086]: Closing the main socket.
Jun  6 08:08:48 <server> clamd[5086]: Socket file removed.

我觀察到clamd記憶體增長到532 MB

# ps -o pid,size,rss,etime,start,cmd -p 16114|more
 PID  SIZE   RSS     ELAPSED  STARTED CMD
16114 580024 545672     00:15 08:18:21 /usr/sbin/clamd -c /etc/clamd.d/clamd.conf
# echo "scale=3; 545672/1024"|bc -l
532.882

我認為 532 MB 會很緊,但我仍然可以放入小型伺服器

# free -m
             total        used        free      shared  buff/cache   available
Mem:           1834         532         626          89         675        1004
Swap:             0           0           0

一直都知道它clamd會消耗很多記憶體,但它似乎隨著時間的推移變得越來越大。

所以我想知道什麼會消耗這麼多記憶體並用strace.

我發現它實際上正在將所有數據庫文件讀入記憶體,因為它在其日誌中聲明Reading databases from /var/lib/clamav並創建了一個記憶體索引6538218 signatures

openat(AT_FDCWD, "/var/lib/clamav", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
getdents(5, /* 6 entries */, 32768)     = 176
stat("/var/lib/clamav/daily.cld", {st_mode=S_IFREG|0644, st_size=141535744, ...}) = 0
stat("/var/lib/clamav/main.cvd", {st_mode=S_IFREG|0644, st_size=117892267, ...}) = 0
stat("/var/lib/clamav/bytecode.cvd", {st_mode=S_IFREG|0644, st_size=153228, ...}) = 0
getdents(5, /* 0 entries */, 32768)     = 0
close(5)                                = 0
stat("/var/log/clamd/clamd.log", {st_mode=S_IFREG|0600, st_size=266784, ...}) = 0
write(3, "Wed Jun  6 08:08:46 2018 -> Load"..., 55) = 55
sendto(4, "<22>Jun  6 08:08:46 clamd[5086]:"..., 59, MSG_NOSIGNAL, NULL, 0) = 59

在將所有病毒定義讀入記憶體後,它最終會嘗試fork嘗試複製 532 MB 記憶體索引的子程序

clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fd70bb64b10) = -1 ENOMEM (Cannot allocate memory)
stat("/var/log/clamd/clamd.log", {st_mode=S_IFREG|0600, st_size=266989, ...}) = 0
write(3, "Wed Jun  6 08:08:48 2018 -> ERRO"..., 78) = 78
write(2, "ERROR: daemonize() failed: Canno"..., 50) = 50
sendto(4, "<19>Jun  6 08:08:48 clamd[5086]:"..., 75, MSG_NOSIGNAL, NULL, 0) = 75

所以實際上在啟動的那一刻,它會消耗雙倍的記憶體,使其成為記憶體索引。

現在為了能夠啟動和執行這個服務,我至少需要創建一個交換分區來克服這個啟動序列。

正如其他人所評論的那樣,增加系統記憶體可以幫助您克服這種啟動記憶體增加。

引用自:https://serverfault.com/questions/612381