immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.
GNU Affero General Public License v3.0
366 stars 102 forks source link

gvmd failed to start with traefik #184

Open Zapfmeister opened 1 year ago

Zapfmeister commented 1 year ago

Multicontainer with version 22.4.11. Getting this error even after docker-compose down -v Any hints?

ovas_gvmd        | Choosing container start method from:
ovas_gvmd        | gvmd
ovas_gvmd        | Starting Greenbone Vulnerability Manager daemon !!
ovas_gvmd        | LOADDEFAULT is true
ovas_gvmd        | Checking for existing DB
ovas_gvmd        |  gvmd      | gvm      | UTF8     | C.UTF-8 | C.UTF-8 |
ovas_gvmd        |  postgres  | postgres | UTF8     | C.UTF-8 | C.UTF-8 |
ovas_gvmd        |  template0 | postgres | UTF8     | C.UTF-8 | C.UTF-8 | =c/postgres          +
ovas_gvmd        |            |          |          |         |         | postgres=CTc/postgres
ovas_gvmd        |  template1 | postgres | UTF8     | C.UTF-8 | C.UTF-8 | =c/postgres          +
ovas_gvmd        |            |          |          |         |         | postgres=CTc/postgres
ovas_gvmd        |
ovas_gvmd        | There seems to be an existing gvmd database.
ovas_gvmd        | Failing out to prevent database deletion.
ovas_gvmd        | DB is gvmd
ovas_gvmd exited with code 0
Zapfmeister commented 1 year ago

Latest entries before the above

ovas_gvmd        | scan-configs/policy_euleros_20200909_0362e8f6-d7cc-4a12-8768-5f2406713860.xml
        590,302 100%    9.88MB/s    0:00:00 (xfr#24, to-chk=2/30)
ovas_gvmd        | scan-configs/policy_gaussdb_20200909_61327f09-8a54-4854-9e1c-16798285fb28.xml
        572,606 100%    9.26MB/s    0:00:00 (xfr#25, to-chk=1/30)
ovas_gvmd        | scan-configs/system-discovery-bbca7412-a950-11e3-9109-406186ea4fc5.xml
          5,191 100%   84.49kB/s    0:00:00 (xfr#26, to-chk=0/30)
ovas_gvmd        |
ovas_gvmd        | sent 34,611 bytes  received 2,653 bytes  74,528.00 bytes/sec
ovas_gvmd        | total size is 4,276,511  speedup is 114.76
ovas_gvmd        | Starting Greenbone Vulnerability Manager...
ovas_gvmd        | Waiting for gvmd
ovas_postgresql  | 2023-04-22 10:37:24.605 UTC [349] gvm@gvmd WARNING:  there is already a transaction in progress
ovas_gvmd        | Waiting for gvmd
ovas_postgresql  | 2023-04-22 10:37:25.614 UTC [349] gvm@gvmd WARNING:  there is no transaction in progress
ovas_gvmd        | Waiting for gvmd
ovas_gvmd        | Waiting for gvmd
ovas_gvmd        | Waiting for gvmd
ovas_gvmd        | Waiting for gvmd
ovas_gvmd        | Waiting for gvmd
ovas_gvmd        | Waiting for gvmd
ovas_gvmd        | admin
ovas_gvmd        | Time to fixup the gvm accounts.
ovas_gvmd        | Creating new user myadmin with supplied password.
ovas_gvmd        | If no password supplied on startup, then the default password is admin
ovas_gvmd        |  ...... Don't do that .....
ovas_gvmd        | Creating Greenbone Vulnerability Manager admin user as myadmin
ovas_gvmd        | User created.
ovas_gvmd        | admin user created
ovas_gvmd        | admin user UUID is cc704527-9e7f-4900-a801-434223ce821e
ovas_gvmd        | Granting admin access to defaults
ovas_gvmd        | User deleted.
ovas_gvmd        | Setting Report Lines to 1000
ovas_gvmd        | Starting Postfix for report delivery by email
ovas_gvmd        | Starting Postfix Mail Transport Agent: postfix.
ovas_gvmd        | md   main:MESSAGE:2023-04-22 10h37.41 utc:455:    Greenbone Vulnerability Manager version 22.4.2 (DB revision 250)
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.41 utc:455:    Modifying setting.
ovas_gvmd        | md   main:MESSAGE:2023-04-22 10h37.44 utc:458:    Greenbone Vulnerability Manager version 22.4.2 (DB revision 250)
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.44 utc:458:    Deleting user.
ovas_gvmd        | md   main:MESSAGE:2023-04-22 10h37.46 utc:463:    Greenbone Vulnerability Manager version 22.4.2 (DB revision 250)
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.46 utc:463:    Modifying setting.
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.47 UTC:443: Updating DFN-CERT CVSS max succeeded.
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.47 UTC:443: Updating Max CVSS for CERT-Bund
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.51 UTC:443: Updating CERT-Bund CVSS max succeeded.
ovas_gvmd        | md manage:   INFO:2023-04-22 10h37.51 UTC:443: sync_cert: Updating CERT info succeeded.
ovas_gvmd        | md   main:MESSAGE:2023-04-22 10h37.53 utc:850:    Greenbone Vulnerability Manager version 22.4.2 (DB revision 250)
ovas_gvmd        | md   main:WARNING:2023-04-22 10h37.53 utc:850: gvmd: Main process is already running
ovas_gvmd exited with code 1
ovas_postgresql  | 2023-04-22 10:37:55.912 UTC [370] gvm@gvmd WARNING:  there is already a transaction in progress
ovas_postgresql  | 2023-04-22 10:37:56.594 UTC [370] gvm@gvmd WARNING:  there is no transaction in progress

After that i get the above error over and over again

immauss commented 1 year ago

It looks like you have set:

LOADDEFAULT=true

Set this to zero or false, and you should be fine. This option forces the rebuilding of the database and would destroy anything in the current database. That's why there is protection in place to prevent starting with this option if there is an existing database.

You could also specify a different location/volume for you data, and it would generate a new database. This does take significantly longer than using the existing DB in the container.

I hope that helps.

-Scott

Zapfmeister commented 1 year ago

@immauss thanks for your fast response. in which container / config is this supposed to be set? I wasnt able to find it in mine. But i actually just figured out that the error appears when setting:

SKIPSYNC=false

Unfortunately i seem to still have an issue when login into the webinterface, the container gives me an authentication success, but i get back to the login page, and the developer tools state the error:

openvas

Do you have an idea what the issue might be? Do i need to tell openvas his external address or allow proxy usage? Or do you think its an issue of traefik?

I use the following settings for traefik with openvas:

  gsad:
    container_name: ovas_gsad
    image: immauss/openvas:${TAG}
    command: gsad
    depends_on:
      - "gvmd"
    environment:
      - "HTTPS=false"  # wether to use HTTPS or not
#    ports:
#      - "8080:9392"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.rule=Host(`${TRAEFIKHOSTNAME}.${DOMAIN}`)"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.entrypoints=web-secure"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls=true"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls.certresolver=le"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls.domains[0].main=${TRAEFIKHOSTNAME}.${DOMAIN}"
      - 'traefik.http.routers.${TRAEFIKHOSTNAME}.middlewares=authelia@docker'
      - "traefik.http.services.${TRAEFIKHOSTNAME}.loadbalancer.server.port=9392" # Specify port
immauss commented 1 year ago

I'm not familiar with Traefik, so I'm not sure where to look. Is it a container platform?

Zapfmeister commented 1 year ago

Yes, its a reverse proxy (https://doc.traefik.io/traefik/) The nice thing is that you dont need to touch the proxy iself when onboarding applications, you just add the labels and the proxy does the rest

immauss commented 1 year ago

Can you provide the contents of you docker-compose.yaml ? I think that will give me an idea or two.

Thanks, Scott

aam-git commented 1 year ago

I'm having the same problem, my current hunch, its because traefik needs HTTPS to be false, but that means the cookie gets set as secure = false

I also notice there is a 401 error: /gmp?token=......&cmd=get_capabilities

Authentication required: handler_send_reauthentication:476 (GSA 22.04.1) Cookie missing or bad. Please login again.

But no error in the console

aam-git commented 1 year ago

Can you provide the contents of you docker-compose.yaml ? I think that will give me an idea or two.

Thanks, Scott

This is mine, with the same issue

version: '3'

services:

  openvas:
    restart: always
    image: immauss/openvas
    volumes:
      - openvas:/data
    environment:
      - "USERNAME=..."
      - "PASSWORD=..."
      - "HTTPS=false"
      - "SKIPSYNC=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.openvas-http.rule=Host(`...`)"
      - "traefik.http.routers.openvas-http.entrypoints=web"
      - "traefik.http.middlewares.redirectscheme.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirectscheme.redirectscheme.permanent=true"
      - "traefik.http.routers.openvas-http.middlewares=redirectscheme@docker"
      - "traefik.http.routers.openvas.rule=Host(`...`)"
      - "traefik.http.routers.openvas.entrypoints=websecure"
      - "traefik.http.routers.openvas.tls.certresolver=myhttpchallenge"
      - "traefik.http.services.openvas.loadbalancer.server.port=9392"
    networks:
      - traefik

volumes:
  openvas:
    driver: local

networks:
  traefik:
    name: traefik
    external: true
Zapfmeister commented 1 year ago

I just figured out that in my case the issue seems to be the combination of Traefik and Cloudflare Proxy. When i disable the cloudflare proxy for the URL it works fine. With it, it tells me its unauthorized, although the authentication succeeded before. Still not sure what exactly is wrong or missing, as with other containers it works fine.

version: "3"

networks:
  default:
    name: proxy
    external: true

services:
  openvas:
#    ports:
#      - "8081:9392"
    environment:
      - "PASSWORD=${PASSWORD}"
      - "USERNAME=${USER}"
#      - "RELAYHOST=172.17.0.1"
      - "SMTPPORT=25"
      - "REDISDBS=512" # number of Redis DBs to use
      - "QUIET=false"  # dump feed sync noise to /dev/null
      - "NEWDB=false"  # only use this for creating a blank DB
      - "SKIPSYNC=true" # Skips the feed sync on startup.
      - "RESTORE=false"  # This probably not be used from compose... see docs.
      - "DEBUG=false"  # This will cause the container to stop and not actually start gvmd
      - "HTTPS=false"  # wether to use HTTPS or not
      - "PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}"
    volumes:
      - "openvas:/data"
    container_name: openvas
    image: immauss/openvas:$TAG
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.rule=Host(`${TRAEFIKHOSTNAME}.${DOMAIN}`)"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.entrypoints=web-secure"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls=true"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls.certresolver=le"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls.domains[0].main=${TRAEFIKHOSTNAME}.${DOMAIN}"
      - 'traefik.http.routers.${TRAEFIKHOSTNAME}.middlewares=authelia@docker'
      - "traefik.http.services.${TRAEFIKHOSTNAME}.loadbalancer.server.port=9392" # Specify port

volumes:
  openvas:

envs:

TAG="latest"
TRAEFIKHOSTNAME=sub
DOMAIN=domain.com
USER=myuser
PASSWORD="21p312ß3" (not the real pw)
PUBLIC_HOSTNAME="sub.domain.com"
immauss commented 1 year ago

@Zapfmeister Thanks for the follow up. @aam-git Does this help you any?

aam-git commented 1 year ago

Yes, but I got mine working WITH cloudflare :)

version: '3'

services:

  openvas:
    restart: always
    image: immauss/openvas
    volumes:
      - ovas:/data
    environment:
      - "PASSWORD=${PASSWORD}"
      - "USERNAME=${USER}"
      - "HTTPS=false" 
      - "PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.rule=Host(`${PUBLIC_HOSTNAME}`)"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.entrypoints=websecure"
      - "traefik.http.routers.${TRAEFIKHOSTNAME}.tls.certresolver=myhttpchallenge"
      - "traefik.http.services.${TRAEFIKHOSTNAME}.loadbalancer.server.port=9392"
    networks:
      - traefik_internal

volumes:
  ovas:
    driver: local

networks:
  traefik_internal:
    name: traefik_internal
    external: true

Thank you both and great work @immauss

immauss commented 1 year ago

Awesome! Would either (or both) of you be willing to write a guide or some tips on using Traefik with the container? I don't have any XP with it, and won't have the cycles to spend on it for a while.

Thanks, Scott

aam-git commented 1 year ago

I'm having restart issues now, I have to wipe the data folder or it wont restart, otherwise it gets stuck in a loop, so once i've solved that I can give it a try, but the docker compose both of us pasted pretty much cover everything apart from installing traefik :)

Zapfmeister commented 1 year ago

@aam-git did you add any settings in regards to cloudflare, or changed something in cloudflare to make it work? Your config seems to miss a " at the end here: - "PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}, is that correct?

@immauss sure, i can write something what we understood the issue ;-)

aam-git commented 1 year ago

@aam-git did you add any settings in regards to cloudflare, or changed something in cloudflare to make it work? Your config seems to miss a " at the end here: - "PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}, is that correct?

@immauss sure, i can write something what we understood the issue ;-)

The " was just missing from the copy and paste sorry, on my server it is correct.

To make scanning actually work, I also removed the items below, otherwise I was getting stuck at 0%. but I've now successfully scanned 12 different ips, and rescanned after a couple of mitigations

      - "REDISDBS=512" # number of Redis DBs to use
      - "QUIET=false"  # dump feed sync noise to /dev/null
      - "NEWDB=false"  # only use this for creating a blank DB
      - "SKIPSYNC=true" # Skips the feed sync on startup.
      - "RESTORE=false"  # This probably not be used from compose... see docs.
      - "DEBUG=false"  # This will cause the container to stop and not actually start gvmd

Nothing else was changed docker/traefik side, however I set SSL/TLS > Overview setting to "Full" not strict.

Edit: I've updated the post with my working config above.

Zapfmeister commented 1 year ago

@aam-git SSL/TLS > Overview setting to "Full" not strict —> where did you do that? In cloudflare or traefik?

aam-git commented 1 year ago

@aam-git SSL/TLS > Overview setting to "Full" not strict —> where did you do that? In cloudflare or traefik?

Cloudflare.. by default it's set to flexible which traefik doesn't like.