Can't start ospd-openvas.service: Could not gather openvas settings

felixN · December 1, 2021, 7:57pm

Hello y’all.

I’m having trouble getting the GVM to start properly. I’ve refrained from posting here as I’ve read many times that if you’re not experienced with building from source - which I’m not - it’s advised to rather use the GSM Trial or similar.

Since I’ve put a lot of research and work into this already and feel like I’m almost there, I really want to finish it though, so if you could push me in the right direction, I’d be very grateful.

I have written a setup script for this service which downloads the release .tar.gz archives, extracts them and builds the Software. The versions I use are listed below.
I installed everything in /opt/gvm.
PostgreSQL and Redis-Server as well as GVMD and GSAD are running fine.
When I try to start ospd-openvas.service, it fails though.
I don’t know if I completely borked something, but I feel I’m just missing some detail somewhere. Logs (see below) say No such file or directory: 'openvas': 'openvas'.
My guess is, that it has to do with the config-files that exist as examples in $SOURCE_DIR/ospd-openvas-21.4.3/config but I thought I had those covered with the start options in my service file.
Can anyone please help me?

cat /etc/systemd/system/ospd-openvas.service

[Unit]
Description=Open Scanner Protocol daemon for OpenVAS
After=network.target redis-server@openvas.service
Wants=redis-server@openvas.service

[Service]
Type=forking
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/run/gvm/ospd-openvas.pid
ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/run/gvm/ospd-openvas.pid --unix-socket=/opt/gvm/run/gvm/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/run/gvm/ospd
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target

cat /opt/gvm/var/log/gvm/ospd-scanner.log:

...
OSPD[1097] 2021-12-01 21:12:46,202: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1097] 2021-12-01 21:12:51,210: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1097] 2021-12-01 21:12:56,218: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1097] 2021-12-01 21:13:01,225: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1097] 2021-12-01 21:13:06,232: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1097] 2021-12-01 21:13:11,237: ERROR: (ospd_openvas.db) Redis Error: Not possible to connect to the kb.
OSPD[1137] 2021-12-01 21:15:11,453: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1137] 2021-12-01 21:15:16,461: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1137] 2021-12-01 21:15:21,468: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1137] 2021-12-01 21:15:26,475: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1137] 2021-12-01 21:15:31,482: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason [Errno 2] No such file or directory: 'openvas': 'openvas'
OSPD[1137] 2021-12-01 21:15:36,488: ERROR: (ospd_openvas.db) Redis Error: Not possible to connect to the kb.

echo $PATH

/home/my-user/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/opt/gvm/sbin:/opt/gvm/bin

GVM versions

gsad: 21.4.3
gvmd: 21.4.4
openvas-scanner: 21.4.3
gvm-libs: 21.4.3

Environment

Operating system: Debian 10 / Buster
Kernel: Linux 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
Installation method / source: Built from source via shell script

heewey · December 2, 2021, 11:24am

Hi,

are you sure that the cmake was done with the correct path?

https://greenbone.github.io/docs/gvm-21.04/index.html#ospd-openvas

felixN · December 2, 2021, 12:40pm

Well I could check, if I could understand what it’s looking for. It only says “openvas” doesn’t exist, not where it expects it to be.
Are you referring to the cmake options of the OpenVAS scanner? What am i looking for? Or better: what is ospd looking for?

The line for the scanner in my script is:
cmake $SOURCE_DIR/openvas-scanner-21.4.3 -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX -DCMAKE_BUILD_TYPE=Release -DSYSCONFDIR=/etc -DLOCALSTATEDIR=/opt/gvm/var \ -DOPENVAS_FEED_LOCK_PATH=/opt/gvm/var/lib/openvas/feed-update.lock -DOPENVAS_RUN_DIR=/opt/gvm/run/ospd &> /dev/null

Ah my bad, you were linking to the ospd. There is no cmake statement there, does it happen in the setup.py?

ospd is installed like this:

virtualenv --python python3.7 /opt/gvm/bin/ospd-scanner
source /opt/gvm/bin/ospd-scanner/bin/activate
cd $SOURCE_DIR/ospd-21.4.4
pip3 install .

cd $SOURCE_DIR/ospd-openvas-21.4.3
pip3 install .

heewey · December 2, 2021, 1:02pm

If you start the unit via systemd, then the output is in journalctl -xe

In the ospd log is just an error message without dependency detail.

felixN · December 2, 2021, 1:06pm

I looked at journalctl -xe, but it didnt help me. Here it is:

Dez 02 15:07:20 VulnerabilityScanner systemd[1]: Starting Open Scanner Protocol daemon for OpenVAS...
-- Subject: A start job for unit ospd-openvas.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit ospd-openvas.service has begun execution.
--
-- The job identifier is 26912.
Dez 02 15:07:45 VulnerabilityScanner systemd[1]: ospd-openvas.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit ospd-openvas.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 1.
Dez 02 15:07:45 VulnerabilityScanner systemd[1]: ospd-openvas.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit ospd-openvas.service has entered the 'failed' state with result 'exit-code'.
Dez 02 15:07:45 VulnerabilityScanner systemd[1]: Failed to start Open Scanner Protocol daemon for OpenVAS.
-- Subject: A start job for unit ospd-openvas.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit ospd-openvas.service has finished with a failure.
--
-- The job identifier is 26912 and the job result is failed.

heewey · December 2, 2021, 1:24pm

On my first installation on Debian, I had the same issue, then I delete the installed package ospd-openvas, because it was wrongly defined from my side when I installed it.

The correct installation was mentioned through the guide link in this queue.

As is in your post - cmake $SOURCE_DIR/openvas-scanner-21.4.3 -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX -DCMAKE_BUILD_TYPE=Release -DSYSCONFDIR=/etc -DLOCALSTATEDIR=/opt/gvm/var \ -DOPENVAS_FEED_LOCK_PATH=/opt/gvm/var/lib/openvas/feed-update.lock -DOPENVAS_RUN_DIR=/opt/gvm/run/ospd &> /dev/null

It expect a directory in /opt/gvm/var/lib/openvas/ - is it really presented here? Has gmv user a correct rights to this directory?

If you have any trouble, then reinstall the component by the mentioned guide.

heewey · December 2, 2021, 1:26pm

felixN:

virtualenv --python python3.7 /opt/gvm/bin/ospd-scanner
source /opt/gvm/bin/ospd-scanner/bin/activate
cd $SOURCE_DIR/ospd-21.4.4
pip3 install .

cd $SOURCE_DIR/ospd-openvas-21.4.3
pip3 install .

Why you are mixing source versions?

felixN · December 2, 2021, 1:31pm

ll /opt/gvm/var/lib/openvas/

drwxrwsr-x  4 gvm  gvm    4096 Dez  1 20:11 .
drwxr-xr-x  4 root root   4096 Dez  1 20:11 ..
-rw-rw-r--  1 gvm  gvm      28 Dez  1 20:11 feed-update.lock
drwxrwS---  2 gvm  gvm    4096 Dez  1 20:11 gnupg
drwxrwxr-x 23 gvm  gvm  192512 Dez  1 20:18 plugins

Is this what’s expected to be there?

I’ve been doing a lot of resetting the whole machine with timeshift. I took a snapshot from the clean install of the VM and every time i make significant changes to the script, I roll back and test it, so if there is something wrong, it’s gotta be a wrong command somewhere.

I just cant figure out from the logs / errors, whats wrong and what should be where

felixN · December 2, 2021, 1:32pm

In the Guide it says:

export GVM_VERSION=21.4.3
...
...
...
export OSPD_VERSION=21.4.4
export OSPD_OPENVAS_VERSION=$GVM_VERSION

heewey · December 2, 2021, 1:36pm

my own version -

su - gvm

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
cd /opt/gvm/src &&\
virtualenv --python python3.9  /opt/gvm/bin/ospd-scanner/ &&\
source /opt/gvm/bin/ospd-scanner/bin/activate

mkdir /opt/gvm/var/run/ospd/ &&\
cd ospd &&\
export PYTHONPATH=/opt/gvm/lib/python3.9/site-packages/
python3 -m pip install ospd --prefix=/opt/gvm
cd /opt/gvm/src

cd ospd-openvas &&\
python3 setup.py install --prefix=/opt/gvm
cd /opt/gvm/src

felixN · December 2, 2021, 1:48pm

Oh, I have an idea what the issue could be.
What file ownership / permissions does your /opt/gvm/bin/ospd-scanner directory have? Because I do stuff like updating and installing with apt in the script as well, I have to run it with sudo and I added sudo -u gvm where I dont want root to run the command. I didn’t do that here.
Could this be the issue?

heewey · December 2, 2021, 1:51pm

I do it by sudoers

visudo
gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas
gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad


Add to secure path /opt/gvm/sbin

heewey · December 2, 2021, 1:52pm

All is prepared just for user gvm and the whole it starts with gvm privilege.

felixN · December 2, 2021, 2:03pm

Yea, I do this:

echo "%gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm_sudo
echo "%gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm_sudo && chmod 0440 /etc/sudoers.d/gvm_sudo
visudo -c -q
if [[ $? != 0 ]]; then
   rm /etc/sudoers.d/gvm_sudo
   echo "Syntax Error in sudoers file."
   exit 18
fi

I’ll try setting up the ospd in my virtualenv with user gvm instead of root and will report back with results soon.
Thanks so much for your time and input so far.

heewey · December 2, 2021, 2:10pm

Add to secure_path /opt/gvm/sbin in sudoers -

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/gvm/sbin:/opt/gvm/bin"

felixN · December 2, 2021, 3:05pm

I added the secure_path and changed file ownership of /opt/gvm/bin/ospd-scanner to gvm:gvm, same problem.
Since the error says “Redis Error: Not possible to connect to the kb.” i’m wondering:

what is the “kb”, what does it stand for?
does this maybe have to do with location/permissions of the /run/redis-openvas/redis.sock? Should this be in /opt/gvm/run, or rather: where is it configured where ospd looks for redis?

i’ll now try using your code to install ospd in the virtualenv and report back

bricks · December 2, 2021, 3:47pm

That means openvas scanner can not reach redis via the socket. Normally the file permissions of the unix socket are not correct. Please follow Building GVM 21.04 — Greenbone Documentation documentation where the user gvm is added to the redis group and ospd-openvas (and therefore openvas too) are running under the gvm user.

felixN · December 3, 2021, 7:13pm

I read all that and used it for my script as well. I suspected permissions all along, but I can’t seem to find the issue

cat /etc/group

...
sudo:x:27:my-user,gvm
...
redis:x:114:gvm
gvm:x:998:my-user

ll /run/redis-openvas

drwxr-sr-x  2 redis redis  80 Dez  2 17:41 .
drwxr-xr-x 20 root  root  560 Dez  3 20:41 ..
-rw-rw----  1 redis redis   6 Dez  2 17:41 redis-server.pid
srwxrwx---  1 redis redis   0 Dez  2 17:41 redis.sock

ll /opt/gvm/var/lib

drwxr-xr-x 4 root root 4096 Dez  2 17:41 .
drwxr-xr-x 4 root root 4096 Dez  2 17:41 ..
drwxrwsr-x 8 gvm  gvm  4096 Dez  2 18:09 gvm
drwxrwsr-x 4 gvm  gvm  4096 Dez  2 17:41 openvas

ll /opt/gvm/var/log

drwxr-xr-x 3 root root 4096 Dez  2 17:41 .
drwxr-xr-x 4 root root 4096 Dez  2 17:41 ..
drwxrwsr-x 2 gvm  gvm  4096 Dez  3 20:43 gvm

ll /opt/gvm/run/gvm

drwxr-xr-x 2 gvm  gvm  4096 Dez  3 20:46 .
drwxr-xr-x 3 root root 4096 Dez  2 17:36 ..
-rw-r--r-- 1 root root    6 Dez  3 20:43 gsad.pid #is this a problem? gsad seems to be running fine
-rw-rw-r-- 1 gvm  gvm     0 Dez  2 17:48 gvm-checking
-rw-rw-r-- 1 gvm  gvm     0 Dez  2 17:48 gvm-create-functions
-rw------- 1 gvm  gvm     6 Dez  3 20:43 gvmd.pid
srw-rw---- 1 gvm  gvm     0 Dez  3 20:43 gvmd.sock
-rw-rw-r-- 1 gvm  gvm     0 Dez  2 17:48 gvm-helping
-rw-rw-r-- 1 gvm  gvm     0 Dez  2 17:48 gvm-migrating
-rw-rw-r-- 1 gvm  gvm     0 Dez  2 17:48 gvm-serving

ll /opt/gvm/sbin

drwxr-xr-x 2 root root    4096 Dez  2 17:41 .
drwxr-xr-x 9 root root    4096 Dez  2 18:10 ..
-rwxr----- 1 gvm  gvm      997 Dez  2 17:36 greenbone-certdata-sync
-rwxr----- 1 gvm  gvm    16852 Dez  2 17:36 greenbone-feed-sync
-rwxr----- 1 gvm  gvm      997 Dez  2 17:36 greenbone-scapdata-sync
-rwxr-xr-x 1 root root  409888 Dez  2 17:39 gsad # should this be owned by gvm?
-rwsr-s--- 1 gvm  gvm  2650184 Dez  2 17:36 gvmd
-rwxr-xr-x 1 root root   92064 Dez  2 17:41 openvas # should this be owned by gvm?

ll /opt/gvm/bin

# do those have the wrong owner?
drwxr-xr-x 3 root root    4096 Dez  2 17:41 .
drwxr-xr-x 9 root root    4096 Dez  2 18:10 ..
-rwxr-xr-x 1 gvm  gvm    17407 Dez  2 17:41 greenbone-nvt-sync
-rwxr-xr-x 1 root root   25823 Dez  2 17:36 gvm-manage-certs
-rwxr-xr-x 1 root root   29344 Dez  2 17:41 openvas-nasl
-rwxr-xr-x 1 root root   17752 Dez  2 17:41 openvas-nasl-lint
drwxr-xr-x 5 root root    4096 Dez  2 17:41 ospd-scanner
-rwxr-xr-x 1 root root 3059272 Dez  2 17:41 winexe
-rwxr-xr-x 1 root root 4946088 Dez  2 17:41 wmic

In my script (run as root):

useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm
usermod -aG gvm $SUDO_USER
usermod -aG redis gvm

grep -qxF 'export PATH="$PATH:/opt/gvm/sbin:/opt/gvm/bin"' /etc/profile || (export PATH="$PATH:/opt/gvm/sbin:/opt/gvm/bin" && echo 'export PATH="$PATH:/opt/gvm/sbin:/opt/gvm/bin"' >> /etc/profile)

chown -R gvm:gvm $INSTALL_PREFIX/var/lib/gvm
chown -R gvm:gvm $INSTALL_PREFIX/var/lib/openvas
chown -R gvm:gvm $INSTALL_PREFIX/var/log/gvm
chown -R gvm:gvm $INSTALL_PREFIX/run/gvm
chown -R gvm:gvm $INSTALL_PREFIX/sbin/gvmd
chown -R gvm:gvm $INSTALL_PREFIX/bin/greenbone-nvt-sync
chown -R gvm:gvm $INSTALL_PREFIX/sbin/greenbone-*-sync
chmod -R g+srw $INSTALL_PREFIX/var/lib/gvm 
chmod -R g+srw $INSTALL_PREFIX/var/lib/openvas 
chmod -R g+srw $INSTALL_PREFIX/var/log/gvm
chmod 6750 $INSTALL_PREFIX/sbin/gvmd
chmod 740 $INSTALL_PREFIX/sbin/greenbone-feed-sync
chmod 740 $INSTALL_PREFIX/sbin/greenbone-*-sync
...
cp $SOURCE_DIR/openvas-scanner-21.4.3/config/redis-openvas.conf /etc/redis/
chown redis:redis /etc/redis/redis-openvas.conf

This should all be equivalent to the documentation or am I wrong? I can’t find my error.

heewey · December 5, 2021, 10:08am

Hi @felixN

There are many ways how to achieve GSA, It is obvious, that you can manage Linux machines and you understand basic principles regarding process permissions, then please dig deeper and follow the documentation mentioned here.

User gvm should have had rights for all GSA processes because It is recommended to avoid “root” permissions.