- gvm10-docker
Suggestions and bugreports are always welcome, just post an issue over at falkowich/gvm10-docker
This table shows what versions makes up what tags on dockerhub.
See falkowich#17
- stable » When the latest image has been stable for some time, it merges to this branch. This is the proposed prod branch
- latest » Latest update to the upstream release 10.0 releasetree.
- dev » Upstream master, to test new functions and prepare for next major release.
image type | upstream gvm-libs | docker Tag | local branch | autobuild on dockerhub | description |
---|---|---|---|---|---|
sqlite | master | sqlite-dev | master | yes | sqlite and gsa |
psql | master | psql-dev | master | yes | psql and gsa |
slave | master | slave-dev | master | yes | scanner (slave) without gsa |
sqlite | 10.0-git | sqlite-latest | latest | yes | sqlite and gsa |
psql | 10.0-git | psql-latest | latest | yes | psql and gsa |
slave | 10.0-git | slave-latest | latest | yes | scanner (slave) without gsa |
sqlite | 10.0 | sqlite | stable | no | sqlite and gsa |
psql | 10.0 | psql | stable | no | psql and gsa |
slave | 10.0 | slave | stable | no | scanner (slave) without gsa |
(If you can come up on a better way to handle these versions and images om, please throw me a line or create an issue on it) :)
Want to chat or have a question about the build, join up here slack invite and chat, and perhaps help others out :)
I tried to do a writeup how to use these images in a (hopefully) working environment on sadsloth.net.
docker pull falkowich/gvm10:sqlite
And if you want to try out "bleeding edge", master branch
docker pull falkowich/gvm10:edge
docker run -p 443:443 falkowich/gvm10:sqlite
docker pull falkowich/gvm10:edge
This will mount /usr/local/var/lib/gvm/ in /var/lib/docker/volumes/gvm/_data/ as docker volume gvm.
WARNING - This volume will be lost if/when container is pruned
docker run \
-p 443:443 \
-v gvm:/usr/local/var/lib/gvm/ \
--name gvm10 \
falkowich/gvm10:sqlite
To check out info about the volume
docker volume inspect gvm
[
{
"CreatedAt": "2019-04-13T19:22:15+02:00",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/gvm/_data",
"Name": "gvm",
"Options": null,
"Scope": "local"
}
]
docker run \
-p 443:443 \
-v gvm:/usr/local/var/lib/gvm/ \
--name gvm10 \
falkowich/gvm10:edge
docker pull falkowich/gvm10:psql
docker run -p 443:443 falkowich/gvm10:psql
WARNING - These volumes will be lost if/when container is pruned
docker run \
-p 443:443 \
-v gvm:/usr/local/var/lib/gvm \
-v psql:/var/lib/postgresql/ \
--name gvm10 \
falkowich/gvm10:psql
To check out info about the volume
docker volume inspect gvm
[
{
"CreatedAt": "2019-04-13T19:22:15+02:00",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/gvm/_data",
"Name": "gvm",
"Options": null,
"Scope": "local"
}
]
docker-compose up
docker-compose up -d
docker-compose logs -f
Sync SCAP data
docker-compose exec gvm10 /usr/local/sbin/greenbone-scapdata-sync
Sync CERT data
docker-compose exec gvm10 /usr/local/sbin/greenbone-certdata-sync
Sync NVT data
docker-compose exec gvm10 /usr/local/sbin/greenbone-nvt-sync
DB maintanance (vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache)
docker-compose exec gvm10 /usr/local/sbin/gvmd -v --optimize=vacuum
Change admin password
docker-compose exec gvm10 /usr/local/sbin/gvmd -v --user=admin --new-password=super-secret-password
Update to "latest" image
docker-compose stop
docker-compose pull
docker-compose up -d
Sync SCAP data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-scapdata-sync"
Sync CERT data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-certdata-sync"
Sync NVT data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-nvt-sync"
DB maintanance (vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache)
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --optimize=vacuum"
Change admin password
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --user=admin --new-password=super-secret-password"
user/pass - admin/admin
I tried to do a writeup how to use these images in a (hopefully) working environment on sadsloth.net.
docker run \
-p 443:443 \
-p 9391:9391 \
-v gvm:/usr/local/var/lib/gvm \
-v psql:/var/lib/postgresql/ \
--name gvm10 \
falkowich/gvm10:psql
docker run \
-p 9391:9391 \
-v gvm:/usr/local/var/lib/gvm/ \
falkowich/gvm10:slave
Then on the slave (scanner):
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --create-user=scanner-user"
Write down password or change to another one.
User created with password 'ca3c6307-c8d8-4b96-83c5-cdaffd803671'.
Create a scanner in GSAD on the MASTER (I will checkout the cli way): Configuration > Scanners > New Scanner:
Name: Scanner01
Comment: Remote Scanner
Type: GMP Scanner
Host: IP on slave
Credentials: New Credentials
Name: Slave01 Credentials
Comment: Foo Bar
Username: scanner-user
Password: ca3c6307-c8d8-4b96-83c5-cdaffd803671
[save]
[save]
On the MASTER:
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd --get-scanners"
Then you will get the newly created Scanner01, like this:
33d23dc3-00f1-4e4a-82da-1f003303c322 Scanner01
From the SLAVE copy /var/lib/docker/volumes/gvm/_data/CA/cacert.pem to the MASTER for example to /tmp/scanner01-cacert.pem
On the MASTER:
sudo cp /tmp/scanner01-cacert.pem /var/lib/docker/volumes/gvm/_data/CA/ -arv
Then on the MASTER:
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd --modify-scanner=33d23dc3-00f1-4e4a-82da-1f003303c322 --scanner-ca-pub=/usr/local/var/lib/gvm/CA/scanner01-cacert.pem
Now you should be able to start scans from the MASTER and select scanner01 as scanner :)
This will be rewritten, with better information
This is an unofficial build and my try to build gvm10 docker containers.
One goal is to get a working master/slave setup, with a sane workflow.
Hopefully an usable ansible playbook that can help with the slaves..
But then, perhaps it doesn't get more interesting than this :)
Much info was learned from mikesplain/openvas-docker that makes good production ready container builds.
- better logging?
- openvas-check-setup type of check?
- tools like arachni etc
postgresql buildseparated containers for sql? (scrapped for the moment)better volume supportmaster/slave images?docker-compose files.Fix workflow with testing before build.. _(..Lots of PEBKAC tonight..)