search

mikesplain / openvas-docker

A Docker container for Openvas
MIT License
762 stars 302 forks source link

Login failed. OMP service is down. #75

Closed LeeBraddy closed 8 years ago

LeeBraddy commented 8 years ago

Using the mikesplain/openvas:latest build from 12-1-2016, build code bn5kzysjr2vlcbapjafkj8g

I start the container with: docker run -d -p 443:443 -p 9390:9390 -p 9391:9391 --name openvas mikesplain/openvas

My load average reaches 11 while openvas initializes. When things settle down the container ends up in this state:

$ docker top openvas
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                1976                1677                0                   08:19               ?                   00:00:00            /bin/sh -c /openvas/start.sh
root                1987                1976                0                   08:19               ?                   00:00:00            /bin/bash /openvas/start.sh
root                1989                1976                0                   08:19               ?                   00:00:00            /usr/local/bin/redis-server *:6379
root                1993                1976                0                   08:19               ?                   00:00:01            ./gsad --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
root                1994                1993                0                   08:19               ?                   00:00:00            ./gsad --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
root                1998                1976                7                   08:19               ?                   00:03:07            openvassd: Waiting for incoming connections
root                2051                1976                0                   08:24               ?                   00:00:00            openvasmd
root                5135                1987                99                  08:24               ?                   00:36:06            openvasmd: Initializing.
root                5136                1987                0                   08:24               ?                   00:00:00            fgrep -v admin
root                5137                1987                0                   08:24               ?                   00:00:00            xargs -n1 -IUSER -r openvasmd --delete-user=USER
root                5261                2051                0                   08:49               ?                   00:00:00            openvasmd

The GSA is up and at the login, entering 'admin' and 'openvas', GSA responds with 'Login failed. OMP service is down.'

Using openssl s_client -connect localhost:9390: The connection is successful and I'm able to issue get_version.

<get_version/>
<get_version_response status="200" status_text="OK"><version>6.0</version></get_version_response>

When I issue authenticate OMP returns a failure.

<authenticate><credentials><username>admin</username><password>openvas</password></credentials></authenticate>
<authenticate_response status="400" status_text="Authentication failed"/>

The --delete-user command is being issued in the start.sh script. That bit of code was introduced 9 days ago in commit 169c5dc56e8f36533cc3aef09be65c87412b8cac.

I was using the mikesplain/openvas:latest from 16 days ago, build code bnjkx5dtqn5fy3medqqxym5, without any issues. A friend was having an issue getting an openvas container working so I tried with the current image and had this problem. I do not see an issue with the code change. I believe this may be an issue with build of the image.

LeeBraddy commented 8 years ago

Here is my current log output for the container.

docker logs openvas

Re-running openvas-check-setup, attempt: 48
openvas-check-setup 2.3.3
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--v9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.0.4.
        OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
        OK: redis-server is present in version v=3.0.5.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
        OK: redis-server is running and listening on socket: /tmp/redis.sock.
        OK: redis-server configuration is OK and redis-server is running.
        OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 45089 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        WARNING: The initial NVT cache has not yet been generated.
        SUGGEST: Start OpenVAS Scanner for the first time to generate the cache.
Step 2: Checking OpenVAS Manager ... 
        OK: OpenVAS Manager is present in version 6.0.6.
        OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
Error: database is locked
        ERROR: Could not determine database revision, database corrupt or in invalid format.
        FIX: Delete database at /usr/local/var/lib/openvas/mgr/tasks.db and rebuild it.

 ERROR: Your OpenVAS-8 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

Re-running openvas-check-setup, attempt: 49
Done.
Delete unknown users...
lphuberdeau commented 8 years ago

We traced the issue down to a deprecated certificate signature problem with gnutls.

We have a working fork. However, we made a few additional changes for our own needs in the process, so it might not be easily backportable.

https://github.com/delvelabs/openvas-docker

The issue is mainly sha256 certificates no longer being supported, and gnutls being too outdated in ubuntu 14.04.

zyrill commented 8 years ago

Is work being done or should we move to delvelabs' version?

mikesplain commented 8 years ago

This is being looked into. I want to avoid switching to the Ubuntu 15.04 image. If anyone is interested in proposing a fix as well, I'm all ears.

mikesplain commented 8 years ago

Thanks for your work on this @lphuberdeau. Please reopen if you all see other issues. Just merged the fix and Docker hub is currently building.

tatric commented 8 years ago

Hi, I have found an issue with login in. I manually made a user with a pass word and it worked for me. Error log:

Done.
Delete unknown users...
User deleted.
Create admin  user...
Failed to create user.
Set admin password...
Starting infinite loop...
Press [CTRL+C] to stop..
mikesplain commented 8 years ago

Please pull the new image. That log and commands have been removed to fix the above issue for now.