search

immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.
GNU Affero General Public License v3.0
337 stars 97 forks source link

[BUG] Multiple GVMD_ARGS #247

Closed mgoeppl closed 4 months ago

mgoeppl commented 4 months ago

The GVMD_ARGS option does not allow for multiple arguments.

Steps to reproduce the behavior: Container started via docker-compose.yml and stopped on start.

Environment:

immauss commented 4 months ago

Ugh .. .easy fix. The start up script (single.sh) needs to have the value quoted. I've fixed this in the latest beta, which you can find with the beta tag. HOWEVER ... There are some other changes with the current beta you will need to be aware of before trying it out.

You'll need to add these to your docker-compose.yml:

   cap_add:
      - NET_ADMIN # for capturing packages in promiscuous mode
      - NET_RAW # for raw sockets e.g. used for the boreas alive detection

You may also need to add:

    security_opt:
      - seccomp:unconfined

cap_add & security_opt should be inline with the other options after the named server in the docker compose. Here's a full example:

Also note the syntax for the GVMD_ARGS in the Environment section.

version: "3"
services:
  openvas:
    security_opt:
      - seccomp:openvas.json
    ports:
      - "8080:9392"
    environment:
      - "PASSWORD=admin"
      - "USERNAME=admin"
      - "RELAYHOST=172.17.0.1"
      - "SMTPPORT=25"
      - "REDISDBS=512" # number of Redis DBs to use
      - "QUIET=false"  # dump feed sync noise to /dev/null
      - "NEWDB=false"  # only use this for creating a blank DB 
      - "SKIPSYNC=true" # Skips the feed sync on startup.
      - "RESTORE=false"  # This probably not be used from compose... see docs.
      - "DEBUG=false"  # This will cause the container to stop and not actually start gvmd
      - "HTTPS=false"  # wether to use HTTPS or not
      - GVMD_ARGS="--max-ips-per-target=65534 --schedule-timeout=-1 --auth-timeout=1440"
    volumes:
      - "openvas:/data"
    cap_add:
      - NET_ADMIN # for capturing packages in promiscuous mode
      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
    container_name: openvas
    image: immauss/openvas:beta
  scannable:
    container_name: scannable
    image: immauss/scannable
volumes:
  openvas:

These changes are to ensure all tests run by openvas can function properly. The seccomp unconfined bit though is something I'm trying to find a better solution for, but may be needed in the time being. It seems to be implementation specific, and I've not been able to reproduce the problem locally. (see #241 & #242 for more detail)

-Scott

immauss commented 4 months ago

This is resolved in the current latest and 22.4.40