gvm10-docker

• gvm10-docker
  • Tags and versions
  • Some examples and info
  • Sqlite3 DB backend
    • Use with "docker run"
      • Start with non-persistant storage
      • Start with mounted volume
  • PostgrSQL DB backend
    • Start with mounted volume
  • Use with docker-compose
    • Start in frontend
    • Check logs
    • With docker
  • Disclamer
  • ToDo / Thoughts / Goals
  • Done [sorta]

Suggestions and bugreports are always welcome, just post an issue over at falkowich/gvm10-docker

Tags and versions

This table shows what versions makes up what tags on dockerhub.
See #17

• stable » When the latest image has been stable for some time, it merges to this branch. This is the proposed prod branch
• latest » Latest update to the upstream release 10.0 releasetree.
• dev » Upstream master, to test new functions and prepare for next major release.

image type	upstream gvm-libs	docker Tag	local branch	autobuild on dockerhub	description
sqlite	master	sqlite-dev	master	yes	sqlite and gsa
psql	master	psql-dev	master	yes	psql and gsa
slave	master	slave-dev	master	yes	scanner (slave) without gsa
sqlite	10.0-git	sqlite-latest	latest	yes	sqlite and gsa
psql	10.0-git	psql-latest	latest	yes	psql and gsa
slave	10.0-git	slave-latest	latest	yes	scanner (slave) without gsa
sqlite	10.0	sqlite	stable	no	sqlite and gsa
psql	10.0	psql	stable	no	psql and gsa
slave	10.0	slave	stable	no	scanner (slave) without gsa

(If you can come up on a better way to handle these versions and images om, please throw me a line or create an issue on it) :)

Want to chat or have a question about the build, join up here slack invite and chat, and perhaps help others out :)

Some examples and info

I tried to do a writeup how to use these images in a (hopefully) working environment on sadsloth.net.

Sqlite3 DB backend

docker pull falkowich/gvm10:sqlite

And if you want to try out "bleeding edge", master branch

docker pull falkowich/gvm10:edge

Use with "docker run"

Start with non-persistant storage

docker run -p 443:443 falkowich/gvm10:sqlite

docker pull falkowich/gvm10:edge

Start with mounted volume

This will mount /usr/local/var/lib/gvm/ in /var/lib/docker/volumes/gvm/_data/ as docker volume gvm.
WARNING - This volume will be lost if/when container is pruned

docker run \
       -p 443:443 \
       -v gvm:/usr/local/var/lib/gvm/ \
       --name gvm10 \
       falkowich/gvm10:sqlite

To check out info about the volume

docker volume inspect gvm
[
    {
        "CreatedAt": "2019-04-13T19:22:15+02:00",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/gvm/_data",
        "Name": "gvm",
        "Options": null,
        "Scope": "local"
    }
]

docker run \
       -p 443:443 \
       -v gvm:/usr/local/var/lib/gvm/ \
       --name gvm10 \
       falkowich/gvm10:edge

PostgrSQL DB backend

docker pull falkowich/gvm10:psql

Use with "docker run"

Start with non-persistant storage

docker run -p 443:443 falkowich/gvm10:psql

Start with mounted volume

WARNING - These volumes will be lost if/when container is pruned

docker run \
       -p 443:443 \
       -v gvm:/usr/local/var/lib/gvm \
       -v psql:/var/lib/postgresql/ \
       --name gvm10 \
       falkowich/gvm10:psql

To check out info about the volume

docker volume inspect gvm
[
    {
        "CreatedAt": "2019-04-13T19:22:15+02:00",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/gvm/_data",
        "Name": "gvm",
        "Options": null,
        "Scope": "local"
    }
]

Use with docker-compose

Start in frontend

docker-compose up

Start in backend

docker-compose up -d

Check logs

docker-compose logs -f

Maintanance

With docker-compose

Sync SCAP data
docker-compose exec gvm10 /usr/local/sbin/greenbone-scapdata-sync

Sync CERT data
docker-compose exec gvm10 /usr/local/sbin/greenbone-certdata-sync

Sync NVT data
docker-compose exec gvm10 /usr/local/sbin/greenbone-nvt-sync

DB maintanance (vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache)
docker-compose exec gvm10 /usr/local/sbin/gvmd -v --optimize=vacuum

Change admin password
docker-compose exec gvm10 /usr/local/sbin/gvmd -v --user=admin --new-password=super-secret-password

Update to "latest" image

docker-compose stop
docker-compose pull
docker-compose up -d

With docker

Sync SCAP data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-scapdata-sync"

Sync CERT data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-certdata-sync"

Sync NVT data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-nvt-sync"

DB maintanance (vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache)
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --optimize=vacuum"

Change admin password
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --user=admin --new-password=super-secret-password"

GSA

user/pass - admin/admin

Master - Slave setup [take 1 :)]

I tried to do a writeup how to use these images in a (hopefully) working environment on sadsloth.net.

Master Setup

docker run \
       -p 443:443 \
       -p 9391:9391 \
       -v gvm:/usr/local/var/lib/gvm \
       -v psql:/var/lib/postgresql/ \
       --name gvm10 \
       falkowich/gvm10:psql

Slave Setup

docker run \
       -p 9391:9391 \
       -v gvm:/usr/local/var/lib/gvm/ \
       falkowich/gvm10:slave

Then on the slave (scanner):
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --create-user=scanner-user"

Write down password or change to another one.
User created with password 'ca3c6307-c8d8-4b96-83c5-cdaffd803671'.

Create a scanner in GSAD on the MASTER (I will checkout the cli way): Configuration > Scanners > New Scanner:

Name: Scanner01 
Comment: Remote Scanner   
Type: GMP Scanner 
Host: IP on slave  
Credentials: New Credentials 

  Name: Slave01 Credentials  
  Comment: Foo Bar 
  Username: scanner-user 
  Password: ca3c6307-c8d8-4b96-83c5-cdaffd803671  
  [save]  
[save]

On the MASTER:
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd --get-scanners"

Then you will get the newly created Scanner01, like this:
33d23dc3-00f1-4e4a-82da-1f003303c322 Scanner01

From the SLAVE copy /var/lib/docker/volumes/gvm/_data/CA/cacert.pem to the MASTER for example to /tmp/scanner01-cacert.pem

On the MASTER:
sudo cp /tmp/scanner01-cacert.pem /var/lib/docker/volumes/gvm/_data/CA/ -arv

Then on the MASTER:
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd --modify-scanner=33d23dc3-00f1-4e4a-82da-1f003303c322 --scanner-ca-pub=/usr/local/var/lib/gvm/CA/scanner01-cacert.pem

Now you should be able to start scans from the MASTER and select scanner01 as scanner :)

This will be rewritten, with better information

Disclamer

This is an unofficial build and my try to build gvm10 docker containers.
One goal is to get a working master/slave setup, with a sane workflow.
Hopefully an usable ansible playbook that can help with the slaves.. But then, perhaps it doesn't get more interesting than this :)

Much info was learned from mikesplain/openvas-docker that makes good production ready container builds.

ToDo / Thoughts / Goals

• better logging?
• openvas-check-setup type of check?
• tools like arachni etc

Done [sorta]

• postgresql build
• separated containers for sql? (scrapped for the moment)
• better volume support
• master/slave images?
• docker-compose files.
• Fix workflow with testing before build.. _(..Lots of PEBKAC tonight..)