Container disk space getting full

[shandshellin]

Hello, i run a docker swarm and my nodes have limited space. Is there any additional folders i can map to a share for persistent data so it doesn't make the container image any larger? Feeds or the database itself mapped to a bound nfs?

[immauss]

Can you give me some more detail on your setup. I'm aware of swarm, but have not used it. Are you planning to run multiple instances of the container and have them all share a single volume? (I don't think that will work)

If it is just the size of the original container, you could feasibly use the "slim" tagged version, but... the downside would be it would take considerably longer for the container to start the first time. After you establish an initial database though, the startup would be faster and the heavy storage requirement would only be on the /data directory, which should be in a volume.

The original intent of the slim image is to make rebuilds for data updates faster, so I've not taken this use case into account. If this is something you are interested in, please let me know. There are few ways to handle, and we can work out wich is best for you.

-Scott

[immauss]

Sorry ... should have said ... "I've NOT taken this use case into account"

-Scott

[immauss]

I had a little time today, and I think I worked out how to make sure starting the container with the "slim" tags would always work. I need to do a little testing with it to make sure though.

Thanks, -Scott

[shandshellin]

The image size is fine at first but as soon as i run the sync scripts the image grows too big. Any way to store the feed data on a share or something so it stays the same size? I only plan to run one instance, swarm just lets it move around as the need arises.

[immauss]

Yes. /data should be on a volume. This is the only directory that should grow, as it holds the Postgres database and all the logs.

[shandshellin]

That's what i thought too but after running the sync scripts etc for the nvt's, the image size itself had grown to fill the nodes drive. Is there any reason the image or container itself would grow? Should be only the /data folder? What size is the original image?

[shandshellin]

so try immauss/openvas:slim ? I'll add this is an arm64 environment, is the slim image arm friendly?

[shandshellin]

latest-slim, trying this with a fresh folder i'm getting this on first run, thoughts?

openvas64.1.28wa22rncn8b@Cluster9 | Setting up container filesystem openvas64.1.28wa22rncn8b@Cluster9 | cp: cannot stat '/usr/local/var/lib/': No such file or directory openvas64.1.28wa22rncn8b@Cluster9 | chown: invalid user: ‘gvm:gvm’ openvas64.1.28wa22rncn8b@Cluster9 | cp: cannot stat '/var/lib/gvm/': No such file or directory openvas64.1.28wa22rncn8b@Cluster9 | cp: cannot stat '/var/lib/notus/': No such file or directory openvas64.1.28wa22rncn8b@Cluster9 | cp: cannot stat '/var/lib/openvas/': No such file or directory openvas64.1.28wa22rncn8b@Cluster9 | cp: cannot stat '/etc/gvm/': No such file or directory openvas64.1.28wa22rncn8b@Cluster9 | cp: cannot stat '/usr/local/etc/openvas/': No such file or directory openvas64.1.28wa22rncn8b@Cluster9 | Choosing container start method from: openvas64.1.28wa22rncn8b@Cluster9 | openvas64.1.28wa22rncn8b@Cluster9 | Starting gvmd & openvas in a single container !! openvas64.1.28wa22rncn8b@Cluster9 | Wait for redis socket to be created... openvas64.1.28wa22rncn8b@Cluster9 | Testing redis status... openvas64.1.28wa22rncn8b@Cluster9 | Redis ready. openvas64.1.28wa22rncn8b@Cluster9 | Creating postgresql.conf and pg_hba.conf openvas64.1.28wa22rncn8b@Cluster9 | Starting PostgreSQL... openvas64.1.28wa22rncn8b@Cluster9 | waiting for server to start....2024-03-13 19:27:59.881 UTC [109] LOG: redirecting log output to logging collector process openvas64.1.28wa22rncn8b@Cluster9 | 2024-03-13 19:27:59.881 UTC [109] HINT: Future log output will appear in directory "/data/var-log/postgresql". openvas64.1.28wa22rncn8b@Cluster9 | done openvas64.1.28wa22rncn8b@Cluster9 | server started openvas64.1.28wa22rncn8b@Cluster9 | pg exit with 0 . openvas64.1.28wa22rncn8b@Cluster9 | Checking for existing DB openvas64.1.28wa22rncn8b@Cluster9 | Loading Default Database openvas64.1.28wa22rncn8b@Cluster9 | Running first start configuration... openvas64.1.28wa22rncn8b@Cluster9 | Generating certs... openvas64.1.28wa22rncn8b@Cluster9 | Using /tmp/tmp.fE7LcxLsMg to temporarily store files. openvas64.1.28wa22rncn8b@Cluster9 | Creating new certificate infrastructure in automatic mode. openvas64.1.28wa22rncn8b@Cluster9 | Generating private key. openvas64.1.28wa22rncn8b@Cluster9 | Generated private key in /tmp/tmp.fE7LcxLsMg/cakey.pem. openvas64.1.28wa22rncn8b@Cluster9 | Generating certificate. openvas64.1.28wa22rncn8b@Cluster9 | Generating self signed certificate. openvas64.1.28wa22rncn8b@Cluster9 | Generated self signed certificate in /tmp/tmp.fE7LcxLsMg/cacert.pem. openvas64.1.28wa22rncn8b@Cluster9 | CA certificate generated. openvas64.1.28wa22rncn8b@Cluster9 | Installing certificate and key. openvas64.1.28wa22rncn8b@Cluster9 | Install destinations do not exist as directories, attempting to create them. openvas64.1.28wa22rncn8b@Cluster9 | Setting up directories openvas64.1.28wa22rncn8b@Cluster9 | Installed private key to /var/lib/gvm/private/CA/cakey.pem. openvas64.1.28wa22rncn8b@Cluster9 | Installed certificate to /var/lib/gvm/CA/cacert.pem. openvas64.1.28wa22rncn8b@Cluster9 | CA certificate and key installed. openvas64.1.28wa22rncn8b@Cluster9 | Generating private key. openvas64.1.28wa22rncn8b@Cluster9 | Generated private key in /tmp/tmp.fE7LcxLsMg/serverkey.pem. openvas64.1.28wa22rncn8b@Cluster9 | Generating certificate. openvas64.1.28wa22rncn8b@Cluster9 | Generating certificate request. openvas64.1.28wa22rncn8b@Cluster9 | Generated certificate request in /tmp/tmp.fE7LcxLsMg/serverrequest.pem. openvas64.1.28wa22rncn8b@Cluster9 | Signing certificate request. openvas64.1.28wa22rncn8b@Cluster9 | Signed certificate request in /tmp/tmp.fE7LcxLsMg/serverrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.fE7LcxLsMg/servercert.pem openvas64.1.28wa22rncn8b@Cluster9 | Server certificate generated. openvas64.1.28wa22rncn8b@Cluster9 | Installing certificate and key. openvas64.1.28wa22rncn8b@Cluster9 | Installed private key to /var/lib/gvm/private/CA/serverkey.pem. openvas64.1.28wa22rncn8b@Cluster9 | Installed certificate to /var/lib/gvm/CA/servercert.pem. openvas64.1.28wa22rncn8b@Cluster9 | Server certificate and key installed. openvas64.1.28wa22rncn8b@Cluster9 | Generating private key. openvas64.1.28wa22rncn8b@Cluster9 | Generated private key in /tmp/tmp.fE7LcxLsMg/clientkey.pem. openvas64.1.28wa22rncn8b@Cluster9 | Generating certificate. openvas64.1.28wa22rncn8b@Cluster9 | Generating certificate request. openvas64.1.28wa22rncn8b@Cluster9 | Generated certificate request in /tmp/tmp.fE7LcxLsMg/clientrequest.pem. openvas64.1.28wa22rncn8b@Cluster9 | Signing certificate request. openvas64.1.28wa22rncn8b@Cluster9 | Signed certificate request in /tmp/tmp.fE7LcxLsMg/clientrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.fE7LcxLsMg/clientcert.pem openvas64.1.28wa22rncn8b@Cluster9 | Client certificate generated. openvas64.1.28wa22rncn8b@Cluster9 | Installing certificate and key. openvas64.1.28wa22rncn8b@Cluster9 | Installed private key to /var/lib/gvm/private/CA/clientkey.pem. openvas64.1.28wa22rncn8b@Cluster9 | Installed certificate to /var/lib/gvm/CA/clientcert.pem. openvas64.1.28wa22rncn8b@Cluster9 | Client certificate and key installed. openvas64.1.28wa22rncn8b@Cluster9 | Removing temporary directory /tmp/tmp.fE7LcxLsMg. openvas64.1.28wa22rncn8b@Cluster9 | Looks like we need to create an empty databse. openvas64.1.28wa22rncn8b@Cluster9 | NEWDB=true openvas64.1.28wa22rncn8b@Cluster9 | LOADDEFAULT=true openvas64.1.28wa22rncn8b@Cluster9 | Creating Greenbone Vulnerability Manager database openvas64.1.28wa22rncn8b@Cluster9 | CREATE ROLE openvas64.1.28wa22rncn8b@Cluster9 | GRANT ROLE openvas64.1.28wa22rncn8b@Cluster9 | CREATE EXTENSION openvas64.1.28wa22rncn8b@Cluster9 | CREATE EXTENSION openvas64.1.28wa22rncn8b@Cluster9 | waiting for server to shut down.... done openvas64.1.28wa22rncn8b@Cluster9 | server stopped openvas64.1.28wa22rncn8b@Cluster9 | waiting for server to start....2024-03-13 19:28:42.435 UTC [222] LOG: redirecting log output to logging collector process openvas64.1.28wa22rncn8b@Cluster9 | 2024-03-13 19:28:42.435 UTC [222] HINT: Future log output will appear in directory "/data/var-log/postgresql". openvas64.1.28wa22rncn8b@Cluster9 | done openvas64.1.28wa22rncn8b@Cluster9 | server started openvas64.1.28wa22rncn8b@Cluster9 | OK: Directory for keys (/var/lib/gvm/private/CA) exists. openvas64.1.28wa22rncn8b@Cluster9 | OK: Directory for certificates (/var/lib/gvm/CA) exists. openvas64.1.28wa22rncn8b@Cluster9 | OK: CA key found in /var/lib/gvm/private/CA/cakey.pem openvas64.1.28wa22rncn8b@Cluster9 | OK: CA certificate found in /var/lib/gvm/CA/cacert.pem openvas64.1.28wa22rncn8b@Cluster9 | OK: CA certificate verified. openvas64.1.28wa22rncn8b@Cluster9 | OK: Certificate /var/lib/gvm/CA/servercert.pem verified. openvas64.1.28wa22rncn8b@Cluster9 | OK: Certificate /var/lib/gvm/CA/clientcert.pem verified. openvas64.1.28wa22rncn8b@Cluster9 | openvas64.1.28wa22rncn8b@Cluster9 | OK: Your GVM certificate infrastructure passed validation. openvas64.1.28wa22rncn8b@Cluster9 | Creating dir structure for feed sync openvas64.1.28wa22rncn8b@Cluster9 | Current GVMd database version is 250 openvas64.1.28wa22rncn8b@Cluster9 | ERROR: function create_index(unknown, unknown, unknown) does not exist openvas64.1.28wa22rncn8b@Cluster9 | LINE 1: SELECT create_index ('vt_severities_by_vt_oid','vt_severitie... openvas64.1.28wa22rncn8b@Cluster9 | ^ openvas64.1.28wa22rncn8b@Cluster9 | HINT: No function matches the given name and argument types. You might need to add explicit type casts. openvas64.1.28wa22rncn8b@Cluster9 | Migrate the database if needed. openvas64.1.28wa22rncn8b@Cluster9 | md manage-Message: 19:28:44.586: cleanup_old_sql_functions: cleaning up SQL functions now included in pg-gvm extension openvas64.1.28wa22rncn8b@Cluster9 | Updating NVTs and other data openvas64.1.28wa22rncn8b@Cluster9 | This could take a while if you are not using persistent storage for your NVTs openvas64.1.28wa22rncn8b@Cluster9 | or this is the first time pulling to your persistent storage. openvas64.1.28wa22rncn8b@Cluster9 | the time will be mostly dependent on your available bandwidth. openvas64.1.28wa22rncn8b@Cluster9 | We sleep for 2 seconds between sync command to make sure everything closes openvas64.1.28wa22rncn8b@Cluster9 | and it doesnt' look like we are connecting more than once. openvas64.1.28wa22rncn8b@Cluster9 | Checking age of current data feeds from Greenbone. openvas64.1.28wa22rncn8b@Cluster9 | stat: cannot statx '/usr/lib/var-lib.tar.xz': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | starting container at: Wed Mar 13 19:28:53 UTC 2024 openvas64.1.mswzty0l9wfk@Cluster9 | Setting up container filesystem openvas64.1.mswzty0l9wfk@Cluster9 | /data/database/base already exists ... openvas64.1.mswzty0l9wfk@Cluster9 | NOT moving data from image to /data openvas64.1.mswzty0l9wfk@Cluster9 | cp: cannot stat '/usr/local/var/lib/': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | chown: invalid user: ‘gvm:gvm’ openvas64.1.mswzty0l9wfk@Cluster9 | cp: cannot stat '/var/lib/gvm/': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | cp: cannot stat '/var/lib/notus/': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | cp: cannot stat '/var/lib/openvas/': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | cp: cannot stat '/etc/gvm/': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | cp: cannot stat '/usr/local/etc/openvas/': No such file or directory openvas64.1.mswzty0l9wfk@Cluster9 | Choosing container start method from: openvas64.1.mswzty0l9wfk@Cluster9 | openvas64.1.mswzty0l9wfk@Cluster9 | Starting gvmd & openvas in a single container !! openvas64.1.mswzty0l9wfk@Cluster9 | Wait for redis socket to be created... openvas64.1.mswzty0l9wfk@Cluster9 | Testing redis status... openvas64.1.mswzty0l9wfk@Cluster9 | Redis ready. openvas64.1.mswzty0l9wfk@Cluster9 | Creating postgresql.conf and pg_hba.conf openvas64.1.mswzty0l9wfk@Cluster9 | Starting PostgreSQL... openvas64.1.mswzty0l9wfk@Cluster9 | pg_ctl: another server might be running; trying to start server anyway openvas64.1.mswzty0l9wfk@Cluster9 | waiting for server to start....2024-03-13 19:30:07.735 UTC [106] LOG: redirecting log output to logging collector process openvas64.1.mswzty0l9wfk@Cluster9 | 2024-03-13 19:30:07.735 UTC [106] HINT: Future log output will appear in directory "/data/var-log/postgresql". openvas64.1.mswzty0l9wfk@Cluster9 | ......... done openvas64.1.mswzty0l9wfk@Cluster9 | server started openvas64.1.mswzty0l9wfk@Cluster9 | pg exit with 0 . openvas64.1.mswzty0l9wfk@Cluster9 | Checking for existing DB openvas64.1.mswzty0l9wfk@Cluster9 | Running first start configuration... openvas64.1.mswzty0l9wfk@Cluster9 | NEWDB=false openvas64.1.mswzty0l9wfk@Cluster9 | LOADDEFAULT=false openvas64.1.mswzty0l9wfk@Cluster9 | Checking DB Version openvas64.1.mswzty0l9wfk@Cluster9 | ERROR: relation "meta" does not exist openvas64.1.mswzty0l9wfk@Cluster9 | LINE 1: select value from meta where name like 'database_version'; openvas64.1.mswzty0l9wfk@Cluster9 | ^ openvas64.1.43u8ywb4i12w@Cluster9 | starting container at: Wed Mar 13 19:30:24 UTC 2024 openvas64.1.43u8ywb4i12w@Cluster9 | Setting up container filesystem openvas64.1.43u8ywb4i12w@Cluster9 | /data/database/base already exists ... openvas64.1.43u8ywb4i12w@Cluster9 | NOT moving data from image to /data openvas64.1.43u8ywb4i12w@Cluster9 | cp: cannot stat '/usr/local/var/lib/': No such file or directory openvas64.1.43u8ywb4i12w@Cluster9 | chown: invalid user: ‘gvm:gvm’ openvas64.1.43u8ywb4i12w@Cluster9 | cp: cannot stat '/var/lib/gvm/': No such file or directory openvas64.1.43u8ywb4i12w@Cluster9 | cp: cannot stat '/var/lib/notus/': No such file or directory openvas64.1.43u8ywb4i12w@Cluster9 | cp: cannot stat '/var/lib/openvas/': No such file or directory openvas64.1.43u8ywb4i12w@Cluster9 | cp: cannot stat '/etc/gvm/': No such file or directory openvas64.1.43u8ywb4i12w@Cluster9 | cp: cannot stat '/usr/local/etc/openvas/': No such file or direc

[shandshellin]

seeing this error now as well after changing the env variable, newdb=false skipsync=true

openvas64.1.v8i2eamykmco@Cluster9 | server started openvas64.1.v8i2eamykmco@Cluster9 | pg exit with 0 . openvas64.1.v8i2eamykmco@Cluster9 | Checking for existing DB openvas64.1.v8i2eamykmco@Cluster9 | Running first start configuration... openvas64.1.v8i2eamykmco@Cluster9 | NEWDB=false openvas64.1.v8i2eamykmco@Cluster9 | LOADDEFAULT=false openvas64.1.v8i2eamykmco@Cluster9 | Checking DB Version openvas64.1.v8i2eamykmco@Cluster9 | ERROR: relation "meta" does not exist openvas64.1.v8i2eamykmco@Cluster9 | LINE 1: select value from meta where name like 'database_version';

[immauss]

Can you share how you are starting the container? full command line ? Or docker-compose.yml

Thanks, Scott

[immauss]

If the feed-sync fails, on the inital startup, then the checks for the DB version fail, as the DB has no data in it yet when the container fails. I've added some logic and tests to prevent this in 22.4.43 and the latest. I'm not sure what was/is going on with the GB feed sync servers, but the feed sync failed > 25 times for me before I was able to pull the entire feed.

-Scott

[immauss]

The feed sync issues have been resolved and it is now possible to start the container using the "-slim" image which will force a feed sync on startup.

-Scott