Open harshalgithub opened 2 years ago
immauss
commented
2 years ago I've looked at this before, but not gotten that far with it. In my current implementation of the multiple container build, I'm using a shared volume for the sockets. Greenbone does not yet give an option for TCP communications from gvmd to postgres, which is why there is the ssh forwarding in the Securecompliance containers. I've also been a bit swamped lately, so not as much time to work on this as I would like.
harshalgithub
commented
2 years ago Hi @immauss ,
Will it be possible for exposing these available ports [ GSA Web Interface (8080:9392) , 22/tcp for SSH, 9390/tcp GVM API Client, 5432/tcp PGSQL Client ] in your multi-container build, then this multi-container build will be more portable and scalable.
Please check feasibility in latest migration with pg13
immauss
commented
2 years ago So ... I was hoping that GB would get close to this with their upcoming container implementation by adding some TCP connection options for postgresl <-> gvmd ... however, they seem to have chosen the same method I'm using which is a shared volume to hold the sockets. I'm not a fan of all the extra ssh connections to get this to work. Mainly because it seems like a lot of work and I just haven't had the time to put into it. I'm also not sure there is a huge use case for it. Most everyone I know is primarily interested in the single container option.
That said ... I'm pretty sure you could still make this work using my container and some fancy docker-compose options to add anything addition and setup some things differently. I'm going to leave this open as a reminder for something I might try to do in the future, but right now, I just don't have the bandwidth.
-Scott
immauss
commented
1 year ago So GB has recently answered this still possible, and I have the directions on. I'll start working on it soon, but it will likely be an option available to supporters. I'll keep you posted.
harshalgithub
commented
11 months ago Hi @immauss , Is there any update on requested architecture enhancements ?
Thanks.
immauss
commented
11 months ago Yes
I’ve managed to get it working, but have not fully tested it yet. I’m expecting to have some time in the next weeks to test and document and hope to make it available in early January.
-Scott
G.E. Scott Knauss @.***
On Dec 22, 2023 at 21:54 +0100, harshalgithub @.***>, wrote:
Hi @immauss , Is there any update on requested architecture enhancements ? Thanks. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
harshalgithub
commented
10 months ago Hi Scott,
I was researching over internet about UNIX SOCKET communications forwarding to TCP ports, and found "SOCAT" tool which can able to forward "UNIX Sockets" to "TCP Ports"
I was trying that in multiport containers docker-compose file given by GB here https://greenbone.github.io/docs/latest/22.4/container/index.html#docker-compose-file
Below services I have added extra in docker compose, to forward sockets to port, but not able to manage to get it working on TCP communication.
socat: image: alpine/socat command: "TCP-LISTEN:6400,fork UNIX-CONNECT:/run/gvmd" depends_on:
gvmd
socat: image: alpine/socat command: "TCP-LISTEN:6401,fork UNIX-CONNECT:/run/ospd" depends_on:
I have added docker-compose file here for reference.
You might get more idea about how to make this work, as you have more work experience on this.
I am still researching, if I get any luck, I will share it here.
On Sat, Dec 23, 2023 at 7:02 PM GE Scott Knauss @.***> wrote:
Yes
I’ve managed to get it working, but have not fully tested it yet. I’m expecting to have some time in the next weeks to test and document and hope to make it available in early January.
-Scott
G.E. Scott Knauss @.***
On Dec 22, 2023 at 21:54 +0100, harshalgithub @.***>, wrote:
Hi @immauss , Is there any update on requested architecture enhancements ? Thanks. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
— Reply to this email directly, view it on GitHub https://github.com/immauss/openvas/issues/109#issuecomment-1868295616, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGZI2PL6IHFRFGSZB2KPG3YK3MN3AVCNFSM5SN7FFNKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWHAZDSNJWGE3A . You are receiving this because you modified the open/close state.Message ID: @.***>
immauss
commented
10 months ago It's actually easier than that.
The container will be run as a remote.
The remote is added as a another scanner to the Master.
You can then configure scan to run from the remote scanner.
It's a documented feature .... Well, it's not documented well.
I have it working, but need to write docs and some more scripts to make setup easier.
The tricky part, which isn't that tricky ...
is getting the certs from the master to the remote.
I've also not been able to do any testing with it yet either. I got side tracked updating the base image and resolving a few bugs.
harshalgithub
commented
9 months ago Hi Scott,
Any update on distributed setup with All open ports in TCP protocol?
On Wed, Jan 3, 2024 at 3:57 AM GE Scott Knauss @.***> wrote:
It's actually easier than that.
The container will be run as a remote.
The remote is added as a another scanner to the Master.
You can then configure scan to run from the remote scanner.
It's a documented feature .... Well, it's not documented well.
I have it working, but need to write docs and some more scripts to make setup easier.
The tricky part, which isn't that tricky ... is getting the certs from the master to the remote.
I've also not been able to do any testing with it yet either. I got side tracked updating the base image and resolving a few bugs.
— Reply to this email directly, view it on GitHub https://github.com/immauss/openvas/issues/109#issuecomment-1874639583, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGZI2KPELCU4H7SPOPAM6TYMSCT3AVCNFSM5SN7FFNKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBXGQ3DGOJVHAZQ . You are receiving this because you modified the open/close state.Message ID: @.***>
immauss
commented
9 months ago Unfortunately, #242 has eaten up a ton of my time.
BTW ... one of the issues with everything on tcp, is still the postgres setup. Greenbone added a TCP connection option, but does not currently have a mechanism for setting the username/password for connecting to postgres. In my mind, this is a serious security concern when gvmd and postgresql are not co-located.
-Scott
harshalgithub
commented
9 months ago Hi Scott,
Can you still share the Docker compose Files for multi distributed TCP setup in separate repo folder, if you can.
Thanks, Harshal
On Thu, Feb 8, 2024 at 4:31 PM GE Scott Knauss @.***> wrote:
Unfortunately, #242 https://github.com/immauss/openvas/issues/242 has eaten up a ton of my time.
BTW ... one of the issues with everything on tcp, is still the postgres setup. Greenbone added a TCP connection option, but does not currently have a mechanism for setting the username/password for connecting to postgres. In my mind, this is a serious security concern when gvmd and postgresql are not co-located.
-Scott
— Reply to this email directly, view it on GitHub https://github.com/immauss/openvas/issues/109#issuecomment-1933834384, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGZI2IPPYGVA4HAMEE3W73YSSWBZAVCNFSM5SN7FFNKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJTGM4DGNBTHA2A . You are receiving this because you modified the open/close state.Message ID: @.***>
immauss
commented
9 months ago I don't currently have on that is purely TCP.
The multi container compose file I do have is in the repo, but still shares a volume for sockets.
-Scott
==========================
@immauss Sir,
If Possible, Please check below architecture diagram, Also Request you to find below kind of setup for MultiContainer ( mc ) build so it will be kind of Master-Slave ( Master will be Administrator GUI of GVM and Slave will be remote scanner only which is reachable via SSH connections) architecture,
https://securecompliance.gitbook.io/projects/gvm_image
https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker[](https://user-images.githubusercontent.com/9278569/148571575-dcf82388-886a-467a-b4e0-cc66bda883ea.png)
image
Will it be possible to make above kind of setup for your "mc" build, single Docker file/docker compose file.
==========================