search

admirito / gvm-containers

Greenbone Vulnerability Management Containers
85 stars 57 forks source link

NVTs and Scan Configs empty until ospd sock changed (helm) #51

Open BloodyIron opened 2 years ago

BloodyIron commented 2 years ago

Hey so I pulled the container set up from helm, and out of the box the sync pulls generally everything. I see CVEs, ports, stuff like that. But when I go look at NVTs, blank, when I look at scan configs, blank.

I then found this thread : https://github.com/admirito/gvm-containers/issues/48

And did the steps:

" kubectl -n gvm edit deployments.apps gvm-gvmd And changing: "- UNIX-LISTEN:/run/ospd/ospd.sock,fork" with "- UNIX-LISTEN:/run/ospd/ospd-openvas.sock,fork" "

As outlined from that thread.

Then the relevant container was replaced with the updated deployment, and the feeds in the "Feed Status" section went into "updating" for a while. Then the NVTs show up now, and I see Scan Configs.

Now, I'm not an expert on how OpenVAS/GVM works at all. But when I look at the helm deployments, the default "ospd.sock" should work, since it matches what ospd-openvas is defined to expose as a socket, so I don't understand why this works. But this needs to be fixed because GVM out of the box is effectively broken until this is fixed.

konvergence commented 2 years ago

Hi, I thinks it related to that ; https://github.com/greenbone/gvmd/blob/v21.4.4/INSTALL.md#configure-the-default-ospd-scanner-socket-path

When you test the command under the container, you get that : 

root@openvas-gvm-gvmd-c668d96f-mpcrv:/run/ospd# gvmd --get-scanners
md   main:MESSAGE:2022-01-28 14h41.41 utc:3766:    Greenbone Vulnerability Manager version 21.4.4 (DB revision 242)
md manage:   INFO:2022-01-28 14h41.41 utc:3766:    Getting scanners.
08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /run/ospd/ospd-openvas.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE

It means that the default scanner is searched on /run/ospd/ospd-openvas.sock

konvergence commented 2 years ago

I will test ...

konvergence commented 2 years ago

I confirm that the gvmd deployment with the image admirito/gvmd:21.4.4 must be update with UNIX-LISTEN:/run/ospd/ospd-openvas.sock,fork".

Don't need to change the openvas-scanner deployement that still use the image admirito/openvas-scanner:21.4.3 and so stay with UNIX-CONNECT:/run/ospd/ospd.sock

BloodyIron commented 2 years ago

I haven't observed any abnormal issues from switching the UNIX-LISTEN URI definition. And that was a week ago. And yeah I didn't change it on the openvas-scanner end, just gvmd.

konvergence commented 2 years ago

@BloodyIron

I pull a request #52 to change the helm. But I think that is not enough.

I made another test on a previous release (gvmd 20), where I upgrade with gvmd 21.4.4, and on the database, the openvas scanner config stay on /var/run/ospd/ospd.sock

So according that you install for the 1st time gvmd 21.4.4 or make a migration, the config is not the same. So I think, that the best is to put directly the path into the Values.yaml

BloodyIron commented 2 years ago

I installed fresh, I have not upgraded or migrated in any way. And this is why I open the issue, because I don't know the best way to solve this :^)

konvergence commented 2 years ago

I added a socket section into Yalues.yaml to be able to change sockets path

socket:
  openvas:
    listener: /run/ospd/ospd.sock
    connector:
      redis: /run/redis/redis.sock
  gvmd:
    connector:
      openvas: /run/ospd/ospd-openvas.sock
BloodyIron commented 2 years ago

So is this going to lead to a new helm chart release?

rizlas commented 2 years ago

Same behavior running with docker-compose. Migrating from 21.4.3 to 21.4.4 is working fine, but fresh install of 21.4.4 is not working due to:

osp_scanner_feed_version: failed to connect to /run/ospd/ospd-openvas.sock

Any idea how to fix this?