[Bug] Since new 4.1 version antivirus tcp to clamav no longer working #2130
Description
Describe the bug
I had that over tcp: tcp://clamav.clamav.svc.cluster.local:3310 the antivirus pod was talking to the clamav. This was up to 4.0 working. But since the newest version (4.1) suddenly is it not working anymore.
Steps to reproduce
- version 4.1 try to upload file
- will not get send to clamav
Expected behavior
Should work over tcp
Logs from antivirus:
{"level":"info","service":"antivirus","service":"antivirus","endpoint":"/healthz","time":"2026-01-12T21:59:59Z","line":"github.com/opencloud-eu/opencloud/pkg/service/debug/service.go:27","message":"no probe provided, reverting to default (OK)"}
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2026-01-12T21:59:58Z"
generateName: antivirus-b969d4b64-
generation: 1
labels:
app: antivirus
app.kubernetes.io/instance: opencloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: opencloud-microservices
app.kubernetes.io/version: 4.1.0
helm.sh/chart: opencloud-microservices-0.3.14
pod-template-hash: b969d4b64
name: antivirus-b969d4b64-ff4dh
namespace: opencloud
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: antivirus-b969d4b64
uid: 6e13f131-e826-4ec8-9eef-0003a9a2b491
resourceVersion: "625434"
uid: 9569e34a-0d4d-4ce9-821c-28a5928fe4ba
spec:
containers:
- args:
- server
command:
- opencloud
env:
- name: MICRO_REGISTRY
value: nats-js-kv
- name: MICRO_REGISTRY_ADDRESS
value: nats:9233
- name: OC_EVENTS_ENDPOINT
value: nats:9233
- name: OC_RUN_SERVICES
value: antivirus
- name: ANTIVIRUS_LOG_COLOR
value: "false"
- name: ANTIVIRUS_LOG_LEVEL
value: debug
- name: ANTIVIRUS_LOG_PRETTY
value: "false"
- name: ANTIVIRUS_DEBUG_ADDR
value: 0.0.0.0:9277
- name: ANTIVIRUS_DEBUG_PPROF
value: "false"
- name: ANTIVIRUS_INFECTED_FILE_HANDLING
value: abort
- name: ANTIVIRUS_SCANNER_TYPE
value: clamav
- name: ANTIVIRUS_CLAMAV_SOCKET
value: tcp://clamav.clamav.svc.cluster.local:3310
- name: ANTIVIRUS_ICAP_SCAN_TIMEOUT
value: "300"
- name: ANTIVIRUS_ICAP_URL
- name: ANTIVIRUS_ICAP_SERVICE
- name: ANTIVIRUS_MAX_SCAN_SIZE
- name: ANTIVIRUS_WORKERS
value: "10"
- name: OC_TRANSFER_SECRET
valueFrom:
secretKeyRef:
key: transfer-secret
name: transfer-secret
- name: OC_JWT_SECRET
valueFrom:
secretKeyRef:
key: jwt-secret
name: jwt-secret
- name: OC_MACHINE_AUTH_API_KEY
valueFrom:
secretKeyRef:
key: machine-auth-api-key
name: machine-auth-api-key
- name: OC_SYSTEM_USER_ID
valueFrom:
secretKeyRef:
key: user-id
name: storage-system
image: opencloudeu/opencloud-rolling:4.1.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics-debug
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 10
name: antivirus
ports:
- containerPort: 9277
name: metrics-debug
protocol: TCP
resources: {}
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/opencloud/messaging-system-ca
name: messaging-system-ca
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-l7szf
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: talos-gpu-i6o
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- emptyDir: {}
name: messaging-system-ca
- name: kube-api-access-l7szf
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2026-01-12T21:59:59Z"
observedGeneration: 1
status: "True"
type: PodReadyToStartContainers
- lastProbeTime: null
lastTransitionTime: "2026-01-12T21:59:58Z"
observedGeneration: 1
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2026-01-12T21:59:59Z"
observedGeneration: 1
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2026-01-12T21:59:59Z"
observedGeneration: 1
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2026-01-12T21:59:58Z"
observedGeneration: 1
status: "True"
type: PodScheduled
containerStatuses:
- containerID: containerd://55d5082aff629f7c122da330e6a83db293690d4fb788146367b4f7cd6904528f
image: docker.io/opencloudeu/opencloud-rolling:4.1.0
imageID: docker.io/opencloudeu/opencloud-rolling@sha256:6e36a7be89e6ce121167c2633ac03fae54962d59efa1837e69720296041b8d87
lastState: {}
name: antivirus
ready: true
resources: {}
restartCount: 0
started: true
state:
running:
startedAt: "2026-01-12T21:59:58Z"
user:
linux:
gid: 1000
supplementalGroups:
- 1000
uid: 1000
volumeMounts:
- mountPath: /etc/opencloud/messaging-system-ca
name: messaging-system-ca
readOnly: true
recursiveReadOnly: Disabled
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-l7szf
readOnly: true
recursiveReadOnly: Disabled
hostIP: 192.168.200.52
hostIPs:
- ip: 192.168.200.52
observedGeneration: 1
phase: Running
podIP: 10.244.0.100
podIPs:
- ip: 10.244.0.100
qosClass: BestEffort
startTime: "2026-01-12T21:59:58Z"