search

immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.
GNU Affero General Public License v3.0
354 stars 102 forks source link

Podman support #150

Closed PetreHoffmann closed 1 year ago

PetreHoffmann commented 1 year ago

Hi,

can you provide also some instruction for podman rootless? With current instructions the container don't start.

thanks

immauss commented 1 year ago

Petre, The openvas scanner normally needs to run as root to properly perform some of the scans. It's possible with docker to add some capabilities ( NET_ADMIN & NET_RAW) to make it work, but I've not gotten into that. I'm also not as heavy with podman at the moment but ... 

  What kind of errors are you getting with podman rootless?

-Scott

PetreHoffmann commented 1 year ago

Hi,

here is the output. I also tried with --network=host

podman run -it --name openvas -v openvasdata:/data -p 8082:9392 immauss/openvas

Setting up contianer filesystem
cp: cannot stat '/usr/local/var/lib/*': No such file or directory
cp: cannot stat '/var/lib/gvm/*': No such file or directory
cp: cannot stat '/var/lib/openvas/*': No such file or directory
Using default gvm logging config
Using default gvm logging config
Using default openvas logging config
Choosing container start method from:

Starting gvmd & openvas in a single container !!
Wait for redis socket to be created...
Testing redis status...
Redis ready.
Creating postgresql.conf and pg_hba.conf
Starting PostgreSQL...
waiting for server to start....2022-09-27 06:58:43.029 UTC [94] LOG:  redirecting log output to logging collector process
2022-09-27 06:58:43.029 UTC [94] HINT:  Future log output will appear in directory "/data/var-log/postgresql".
 done
server started
pg exit with 0 .
Checking for existing DB
Loading Default Database
Running first start configuration...
Generating certs...
Generated private key in /tmp/tmp.9KxQBtJ8uU/cakey.pem.
Generated self signed certificate in /tmp/tmp.9KxQBtJ8uU/cacert.pem.
Installed private key to /var/lib/gvm/private/CA/cakey.pem.
Installed certificate to /var/lib/gvm/CA/cacert.pem.
Generated private key in /tmp/tmp.9KxQBtJ8uU/serverkey.pem.
Generated certificate request in /tmp/tmp.9KxQBtJ8uU/serverrequest.pem.
Signed certificate request in /tmp/tmp.9KxQBtJ8uU/serverrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.9KxQBtJ8uU/servercert.pem
Installed private key to /var/lib/gvm/private/CA/serverkey.pem.
Installed certificate to /var/lib/gvm/CA/servercert.pem.
Generated private key in /tmp/tmp.9KxQBtJ8uU/clientkey.pem.
Generated certificate request in /tmp/tmp.9KxQBtJ8uU/clientrequest.pem.
Signed certificate request in /tmp/tmp.9KxQBtJ8uU/clientrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.9KxQBtJ8uU/clientcert.pem
Installed private key to /var/lib/gvm/private/CA/clientkey.pem.
Installed certificate to /var/lib/gvm/CA/clientcert.pem.
Removing temporary directory /tmp/tmp.9KxQBtJ8uU.
########################################
Creating a base DB from /usr/lib/base-db.xz
base data from:
Mon Aug 29 16:04:35 UTC 2022
########################################
NOTICE:  relation "vt_severities" already exists, skipping
Unpacking base feeds data from /usr/lib/var-lib.tar.xz
NOTICE:  relation "vt_severities" already exists, skipping
NOTICE:  relation "vt_severities" already exists, skipping
Migrating the database to the latest version if needed.
Updating NVTs and other data
This could take a while if you are not using persistent storage for your NVTs
 or this is the first time pulling to your persistent storage.
 the time will be mostly dependent on your available bandwidth.
 We sleep for 5 seconds between sync command to make sure everything closes
 and it doesnt' look like we are connecting more than once.
 Pulling NVTs from greenbone
<28>Sep 27 07:00:27 greenbone-nvt-sync: The log facility is not working as expected. All messages will be written to the standard error stream.
<29>Sep 27 07:00:27 greenbone-nvt-sync: No Greenbone Security Feed access key found, falling back to Greenbone Community Feed
<29>Sep 27 07:00:32 greenbone-nvt-sync: Configured NVT rsync feed: rsync://feed.community.greenbone.net:/nvt-feed
rsync: [Receiver] failed to connect to feed.community.greenbone.net (45.135.106.143): Connection refused (111)
rsync: [Receiver] failed to connect to feed.community.greenbone.net (2a0e:6b40:20:106:20c:29ff:fe7f:d2ae): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(137) [Receiver=3.2.3]
<27>Sep 27 07:00:32 greenbone-nvt-sync: rsync failed.
 Pulling scapdata from greenbone
rsync: [Receiver] failed to connect to feed.community.greenbone.net (45.135.106.143): Connection refused (111)
rsync: [Receiver] failed to connect to feed.community.greenbone.net (2a0e:6b40:20:106:20c:29ff:fe7f:d2ae): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(137) [Receiver=3.2.3]
immauss commented 1 year ago

This looks more like a connectivity issue than a podman problem. Unless your podman setup is preventing the container from contacting the outside. You can try starting with the "-e SKIPSYNC=true" and see if that works. You will likely have some other issues though as openvas does need some root capabilities to properly perform scans. This isn't something I've had the time to get into. With the single container version, there's quite a lot going on and it would be a pretty heavy lift to get it to run without root privileges. The multi-container might be easier as only some of the containers would require the root privileges.

immauss commented 1 year ago

I did a few tests with podman, and it seemed to work just fine. Though not rootless.

immauss commented 1 year ago

If you are still having problems with podman, please open a new issue.

Thanks, Scott