NVT Sync error on startup, container doesn't start

[cybermcm]

Using latest version (as of today 2020-10-31) with compose

openvas:
  container_name: openvas
  environment:
   - PASSWORD=xxx
   - RELAYHOST=xxx.com
  #hostname: openvas.${hostname}
  image: immauss/openvas
  labels:
   - com.centurylinklabs.watchtower.enable=true
  ports:
   - 8083:9392
  restart: always
  volumes:
   - /etc/timezone:/etc/timezone:ro
   - /etc/localtime:/etc/localtime:ro
   - /opt/docker/openvas:/data

container restarts with error message from the logs:

Setup / Fix the /usr/local/var/run
10:C 31 Oct 12:16:16.494 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
10:C 31 Oct 12:16:16.494 # Redis version=4.0.9, bits=64, commit=00000000, modified=0, pid=10, just started
10:C 31 Oct 12:16:16.494 # Configuration loaded
Wait for redis socket to be created...
Testing redis status...
Redis ready.
Starting PostgreSQL...
Removed stale pid file.
Fixing sync script options ...
Updating NVTs...
<28>Oct 31 12:16:19 greenbone-nvt-sync: The log facility is not working as expected. All messages will be written to the standard error stream.
<28>Oct 31 12:16:19 greenbone-nvt-sync: Another process related to the feed update is already running.

any ideas?

[andreas5232]

Same problem here. Maybe you want to remove/comment your restart-policy, to debug it further. As soon as I removed the restart unless-stopped from my docker-compose file, I saw the following errors:

openvas    | Updating NVTs...
openvas    | <28>Dec  9 08:18:51 greenbone-nvt-sync: The log facility is not working as expected. All messages will be written to the standard error stream.
openvas    | <29>Dec  9 08:18:51 greenbone-nvt-sync: No Greenbone Security Feed access key found, falling back to Greenbone Community Feed
openvas    | <29>Dec  9 08:18:51 greenbone-nvt-sync: Configured NVT rsync feed: rsync://feed.community.greenbone.net:/nvt-feed
openvas    | rsync: failed to connect to feed.community.greenbone.net (45.135.106.142): Connection refused (111)
openvas    | rsync: failed to connect to feed.community.greenbone.net (2a0e:6b40:20:106:20c:29ff:fe67:cbb5): Cannot assign requested address (99)
openvas    | rsync error: error in socket IO (code 10) at clientserver.c(125) [Receiver=3.1.2]
openvas    | <27>Dec  9 08:18:51 greenbone-nvt-sync: rsync failed.
openvas exited with code 1

So either the NVT sync server is not available at all or there is a firewall in between which breaks the connection.

[andreas5232]

I just found a hint for this Problem:

You have a NAT/Firewall issue if you get a RST and you can start one connection. 
So please deactivate this and try again. We only allow one TCP-Session per src ip to your feed server, 
if some network element (GGN, NAT, Firewall …) keeps that session open, you are not able to start a new one.

See: https://community.greenbone.net/t/sync-issues-with-version-20-not-a-firewall-not-equipment-issue-seems-has-been-weeks-with-no-updates/6811/8 Or: https://community.greenbone.net/t/feed-sync-via-rsync-aborts/5651/8

Unfortunately I don't know yet, how to correctly solve or workaround this.

[felimwhiteley]

I've fixed this (routers I don't have control of at a few sites) by adding in a sleep 180 into

greenbone-certdata-sync greenbone-nvt-sync greenbone-scapdata-sync start.sh

In the lines preceeding any rsyncs. It's ugly but it works, 180 seconds seemed to be enough for the connection to fully close, takes it a bit longer but that's fine. A thought might be to make this a boot variable defaulting to 3? Hopefully this very rough script gives you an idea...

Scripts-WT.zip

[immauss]

20.08 is not seeing this. Though I did add a 5 sec sleep in between each sync on start. Please let me know if you see this with the 20.08 image. I should have it posted within the next 24 hours. I'll leave this open.

[immauss]

20.08.03 is up now and I think you shouldn't see anything like this now. Please let me know if you do.