Image no longer works without internet access

immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.

GNU Affero General Public License v3.0

360 stars 102 forks source link

Image no longer works without internet access #173

Closed gaby closed 1 year ago

gaby commented 1 year ago

Recently I tried updating to the latest image on a fresh install. The environment where I have this container doesnt have access to internet. The following code makes deploying a new container impossible:

if ! [ -f tmp/GBCommunitySigningKey.asc ]; then
    echo " Get the Greenbone public Key"
    curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc
    echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" > /tmp/ownertrust.txt
    echo "Setup environment"
    mkdir -m 0600 -p $GNUPGHOME $OPENVAS_GNUPG_HOME
    echo "Import the key "
    gpg --import /tmp/GBCommunitySigningKey.asc
    gpg --import-ownertrust < /tmp/ownertrust.txt
    echo "Setup key for openvas .."
    cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/
    chown -R gvm:gvm $OPENVAS_GNUPG_HOME
fi

Stuff like this should be avoided during a docker run, it should be backed into the image.

immauss commented 1 year ago

gaby, That has been there for quite a while, have you used it before in an isolated environment ?

Regardless .... I'll work on moving this bit into the build processes.

The only thing that key is used for (that I'm aware of) is validating the downloads from GB, so in an isolated environment, it should not be needed. You could safely comment this out on the container in your isolated environment.

Thanks. This is a good find!

-Scott

gaby commented 1 year ago

I have been using this image since early last year, we started using a different tool for while and now wanted to go back to greenbones. That's when i ran into this issue.

Thanks!

immauss commented 1 year ago

Give this one a try.

immauss/openvas:gaby

I moved the gpg-key pull to the build process. Only issue was the gvm user did not yet exist, so I had to move the chown to fs-setup.sh, but this should work fine for you in an isolated env and connected. I'm doing my testing with a connected version, as long things work fine for you, I'll push this to the latest.

Thanks, Scott

gaby commented 1 year ago

@immauss Tested locally and it worked using the gaby tag!

cmd:

docker run --publish 8080:9392 -e SKIPSYNC=true -e PASSWORD="TestPassword" --name openvas immauss/openvas:gaby

Results:

immauss commented 1 year ago

Outstanding! I'm moving this into latest now.

Thanks!

gaby commented 1 year ago

Thank you!