I'm trying to implement a script within the docker-compose of greenbone-community-edition. This script uses the socket located in /run/gvmd/gvmd.sock to establish a connection and execute Python commands via the python-gvm library.
script:
image: openvasscript
restart: on-failure
ports:
- 127.0.0.1:9393:80
volumes:
- gvmd_socket_vol:/run/gvmd # should give me access to the socket
depends_on:
- gvmd
def __init__(self) -> None:
try:
path = "/run/gvmd/gvmd.sock"
self.connection = UnixSocketConnection(path=path)
assert self.socket_test() == True
except:
pass
def auth(self, gmp):
gmp.authenticate("admin", "admin")
def socket_test(self):
try:
with Gmp(connection=self.connection) as gmp:
self.auth(gmp)
gmp.get_version()
return True
except Exception as err:
return False
When the docker-compose builds the containers, the socket appears unable to connect and returns the error "Could not connect to socket /run/gvmd/gvmd.sock. Error was [Errno 111] Connection refused."
I checked the presence and permissions of the socket inside my script container and the permissions of the directory.
docker compose -f ./openvas-docker-compose.yml -p greenbone-community-edition exec script ls -l /run/gvmd/gvmd.sock
srw-rw-rw- 1 1001 1001 0 Jun 21 03:51 /run/gvmd/gvmd.sock
docker compose -f ./openvas-docker-compose.yml -p greenbone-community-edition exec script ls -ld /run/gvmd
drw-rw-rw- 2 1000 1000 4096 Jun 21 03:51 /run/gvmd
I reviewed the gvmd logs, but nothing seems problematic except for the last line, which I didn't understand.
docker compose -f ./openvas-docker-compose.yml -p greenbone-community-edition exec gvmd cat /var/log/gvm/gvmd.log
md main:MESSAGE:2024-06-21 04h12.07 utc:22: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md main: INFO:2024-06-21 04h12.07 utc:22: Migrating database.
md main: INFO:2024-06-21 04h12.07 utc:22: gvmd: databases are already at the supported version
md main:MESSAGE:2024-06-21 04h12.07 utc:23: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md manage: INFO:2024-06-21 04h12.07 utc:23: Creating user.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md main:MESSAGE:2024-06-21 04h12.14 utc:25: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md manage: INFO:2024-06-21 04h12.14 utc:25: Getting users.
md main:MESSAGE:2024-06-21 04h12.18 utc:28: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md manage: INFO:2024-06-21 04h12.18 utc:28: Modifying setting.
md main:MESSAGE:2024-06-21 04h12.22 utc:29: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
libgvm base:CRITICAL:2024-06-21 04h12.27 utc:30: pidfile_create: failed to open pidfile /run/gvmd/gvmd.pid: Permission denied
I tried configuring my script's Docker in this way.
# Beginning of the Dockerfile ...
RUN mkdir -p /run/gvmd && \
chown -R 1001:1001 /run/gvmd && \
chmod 755 /run/gvmd && \
apt-get update -y && \
apt-get install -y net-tools
# Expose port and set environment variable
EXPOSE 80
ENV PYTHONUNBUFFERED=1
# Start the application
CMD gunicorn "script:create()" -b 0.0.0.0:80
I also tried restarting the gvmd container and my script container several times.
When I run the script from my host with this docker-compose configuration :/tmp/run/gvm/gvmd.sock:/run/gvmd/gvmd.sock and everything works fine.
I attempted to expose port 9390 on my script's container, but it had no impact.
I tried again on another machine and everything worked normally. I then retried on the original server and again encountered many problems.
But here is the solution I found:
docker images | grep greenbone | awk '{print $3}' | xargs docker rmi .
# Beginning of the Dockerfile ...
RUN groupadd -g 1001 scriptuser && \
useradd -u 1001 -g scriptuser scriptuser
RUN chown -R scriptuser:scriptuser /scriptdir
USER scriptuser
# Expose port and set environment variable
EXPOSE 80
ENV PYTHONUNBUFFERED=1
# Start the application
CMD gunicorn "script:create()" -b 0.0.0.0:80
Finally, everything works correctly.