search

greenbone / openvas-scanner

This repository contains the scanner component for Greenbone Community Edition.
https://greenbone.github.io/docs/
GNU General Public License v2.0
3.25k stars 605 forks source link

21.4.3 segmentation fault when missing /etc/openvas/openvas_log.conf #963

Closed immauss closed 2 years ago

immauss commented 2 years ago

Expected behavior

openvas scanner runs with no segfault

Actual behavior

openvas segmentation faults consistently when run in a container.

Steps to reproduce

The container implementation has worked consistently until openvas-scanner v21.4.3. Following the most recent update, openvas-scanner consistently segmentation faults on all commands except version and help. Downgrading the openvas scanner to 21.4.2 resolves the issue. This issue has been seen on multiple container implementations including docker and podman implementations.

GVM versions

gvmd=v21.4.4 openvas=v21.4.3 openvas_smb=v21.4.0 gvm_libs=v21.4.3 openvas_scanner=v21.4.3 gsa=v21.4.3 ospd=v21.4.4 ospd_openvas=v21.4.3 python_gvm=v21.10.0 gvm_tools=v21.10.0

Environment

Docker Container using Debian Buster as a base image and built using:

https://github.com/immauss/openvas

I've pushed an image with gdb and all the debug packages to: immauss/openvas:DEBUG

unfortunately, this has not lead me to anything (that I understand to be) useful. But I'm not true programer.

There is an existing core file in / ( docker dumps the core files out to the host files sytem, so I've already copied this one back into the image. )

Easiest way to get to it.

docker run -d --name debug immauss/openvas:DEBUG docker exec -it debug bash

Logfiles

immauss commented 2 years ago

If you have coredumps enabled on your system, be advised that every time ospd-openvas calls "openvas --update-vt-info", a core file will be generated in /var/lib/systemd/coredump/ and can fill a file system quite quickly.

immauss commented 2 years ago

update .... I managed to get it to work. But I've no idea why what I did made it work.

My container build is using a 2 stage build. After compiling everything, I start with a new base image and copy everything from /usr/local, /var/lib and /etc/gvm from the 1st stage to the new image.

If instead, I just keep the original image where everything is built, (single stage build) then there is no segmentation fault.

Any ideas would I could be missing?

Possibly a library that is referenced in 21.4.3 that was not in 21.4.2 that is not in my base image? But wouldn't that show up in gdb or the strace?

any hints would be greatly appreciated.

immauss commented 2 years ago

OK ... after installing every package from stage 1, then trying different options with the python based packages, I pulled the install manifests from the build processes and created a unique list of directories, and only copied those directories.

And that fixed. Not really sure why ...

For future reference. COPY --from=0 etc/gvm/pwpolicy.conf /etc/gvm/pwpolicy.conf COPY --from=0 etc/logrotate.d/gvmd /etc/logrotate.d/gvmd COPY --from=0 etc/openvas/openvas_log.conf /etc/openvas/openvas_log.conf COPY --from=0 lib/systemd/system /lib/systemd/system COPY --from=0 usr/local/bin /usr/local/bin COPY --from=0 usr/local/include /usr/local/include COPY --from=0 usr/local/lib /usr/local/lib COPY --from=0 usr/local/sbin /usr/local/sbin COPY --from=0 usr/local/share /usr/local/share

Thanks, -Scott

immauss commented 2 years ago

after my elation on resolving this, I started making some more needed tweaks and it came back. I was able to resolve exactly where the problem came from. If there is no /etc/openvas/openvas_log.conf , then it seg faults. I understood it was using /usr/local/etc/openvas (build directory default of /usr/local). 

root@4ecbd6073154:~# openvas 
root@4ecbd6073154:~# ls /usr/local/etc/openvas
openvas_log.conf
root@4ecbd6073154:~# ls /etc/openvas
openvas_log.conf
root@4ecbd6073154:~# rm /etc/openvas/openvas_log.conf 
root@4ecbd6073154:~# openvas 
Segmentation fault (core dumped)
root@4ecbd6073154:~#
ArnoStiefvater commented 2 years ago

This seems to be a duplicate of https://github.com/greenbone/openvas-scanner/issues/960 now. After https://github.com/greenbone/gvm-libs/pull/633 is merged this should be fixed.

immauss commented 2 years ago

@ArnoStiefvater Shouldn't it also be looking for it in "/usr/local/etc/openvas" vs "/etc/openvas" ?

ArnoStiefvater commented 2 years ago

The default location of the log config for stable branch (21.4 version) is currently at /etc/openvas/openvas_log.conf. It can be configured via cmake with variable SYSCONFDIR which is currently /etc per default. So you could run cmake with -DSYSCONFDIR=/usr/local/etc to have the log file at /usr/local/etc/openvas/openvas_log.conf

immauss commented 2 years ago

Thanks for the clarification. I don't see that in the INSTALL.md though. ( current and release 21.4.3)

https://github.com/greenbone/openvas-scanner/blob/main/INSTALL.md#logging-configuration

jjnicola commented 2 years ago

greenbone/gvm-libs#633 is merged. So, closing here.