Skip to main content

Ralsina.Me — Roberto Alsina's website

Moving load around with netpipes.

I had an emer­gen­cy. The CPU us­age of a cer­tain mail serv­er was rais­ing, and the cul­prit was clamd.

For some rea­son, in the last few month­s, the CPU us­age of clamd kept ris­ing, and was now near 70% av­er­age of the server's CPU.

Re­mov­ing the an­tivirus is, of course, not an op­tion. On the oth­er hand, per­for­mance was start­ing to suf­fer.

The usu­al re­sponse would be a full re­tool­ing of the se­tup, mul­ti­ple SMTP servers han­dling the load against a cen­tral stor­age server, cla­mav run­ning on each SMT­P... but switch­ing to that in­volves a full reim­ple­men­ta­tion of the sys­tem. Be­cause of the an­tivirus??? Hell no.

So, I start­ed in­ves­ti­gat­ing how I could move clamd to an­oth­er box, like I did with spa­mas­sas­sin. It was not pret­ty.

  • cla­­mav has a pro­­to­­col de­fined for con­nec­t­ing to re­­mote server­s.

  • cla­­mav does­n't have a client for it.

  • clamd-stream-­­client does­n't seem to work.

So, I thought... let's be orig­i­nal. What do I ac­tu­al­ly need?

I need to be able to call clamd­scan, and have it scan the cur­rent fold­er. Based on its ex­it sta­tus code (0/1/2) the mail is ac­cept­ed, re­ject­ed, tem­po­rar­ily re­ject­ed.

Hav­ing the same fold­ers struc­ture avail­able to two box­es is triv­ial. I have NF­S, lots of band­width and an­oth­er com­put­er.

Run­ning clamd­scan in the sec­ond box, scan­ning those fold­ers is triv­ial too.

The miss­ing piece is a way to tell the sec­ond box's clamd to scan, and get the ex­it code in the mail serv­er.

En­ter net­pipes!

Net­pipes is soft­ware to "make TCP sock­ets us­able from the shel­l". You can find it at http://we­b.pur­ple­frog.­com/~thoth/net­pipes/net­pipes.html.

And here's a re­place­ment clamd­scan which works the way I want­ed it:

#!/bin/dash
exit `echo \$PWD | hose 192.168.1.53 9000 --slave `

This ver­sion takes the fold­er you want to scan as an ar­gu­men­t:

#!/bin/dash
exit `echo \$* | hose 192.168.1.53 9000 --slave `

And here is the "serv­er side". First net­clam.sh:

#!/bin/dash -x
read args
/usr/bin/clamdscan \$args >/dev/null 2>&1
echo \$?

Then the "net­work code":

faucet 9000  --in --out /usr/bin/netclam.sh

And there you have it. Cla­mAV moved to an­oth­er serv­er. With 5 lines of shell code.


Contents © 2000-2020 Roberto Alsina