Pivotal Knowledge Base

Follow

ClamAV uses excessive storage on a VM

Environment

Any Pivotal Cloud Foundry Elastic Runtime environment that uses ClamAV add-on for PCF 1.1.6 beta and prior versions of ClamAV with Elastic Runtime

Purpose

In certain configurations, ClamAV may use excessive storage on a VM, possibly filling the disk space and making the environment unstable. It may use up all available storage on the /var/vcap/data/ volume. This applies in particular to the nfs_server VM and the diego_cell VMs but can affect any VM on which ClamAV is configured with both on-access and scheduled scans enabled at the same time.

Cause

This issue occurs because ClamAV holds on to deleted file handles in /var/vcap/data/tmp. The problem arises when both on access and scheduled are set to yes (on_access: yes and scheduled: yes)which causes a race condition that does not release the deleted file handles. 

Resolution

The workaround is to set property for on_access: to no or set scheduled: no.

For the workaround example below, we have set on_access: no.

releases:
- { name: fim, version: "1.1.2" }
- { name: clamav, version: "1.1.6" }
addons:
- name: fim
  jobs:
  - name: fim
    release: fim
  properties: {}
- name: clamav
  jobs:
   - name: clamav
     release: clamav
  properties:
    clamav:
      on_access: no
      scheduled: yes
      database_mirror: 10.147.50.20

The fix for this issue will be available in the next release.

Comments

Powered by Zendesk