To prevent the problems on execution of the openvas scanner, we need to build the container with caps support.
This is only possible with buildah. Currently I was not able to find any other build tool, that support caps on build. Which prevents with correct caps settings inside the container the successful build of the release images.
openvas binary need to use NET_RAW and NET_ADMIN caps to record network activities. So we need to set them in the container, which will also need to setup the container later on user side correct.
Points:
Container need to run in Network mode: host, ipvlan or macvlan (maybe other are supported to) - we need out own IP where we listen to all PORTS by default and no bridge
Container need to run with caps: NET_RAW, NET_ADMIN
SecOpts: unconfined for seccomp, apparmor (thats what I have tested)
To prevent the problems on execution of the openvas scanner, we need to build the container with caps support. This is only possible with buildah. Currently I was not able to find any other build tool, that support caps on build. Which prevents with correct caps settings inside the container the successful build of the release images.
openvas binary need to use NET_RAW and NET_ADMIN caps to record network activities. So we need to set them in the container, which will also need to setup the container later on user side correct.
Points: