Gvmd.sock connection refused

alessio · August 12, 2021, 8:42am

Hello everyone,

i am dealing with the problem that i cant login into my GSA.
It always gives me the following error:
The Greenbone Vulnerability Manager service is not responding. This could be due to system maintenanceIn my gsad.log i found something whoch could be the cuase oif this behaviour

Failed to connect to server at /opt/gvm/var/run/gvmd.sock: Connection refused

all the services are up and running, i dont see any problems with permisson for the gvmd.sock
What can i do?
I use Greenbone Vulneravility Manager 20.08

best regards,
alessio

bricks · August 13, 2021, 5:35am

Did you check if gvmd is listening on this unix socket path?

alessio · August 13, 2021, 9:19am

Hi,
i couldnt determine if gvmd is listening on this socket path. In gvm-tools.conf in section [unixsocket]
my socketpath is /opt/gvm/var/run/gvmd.sock

With ss -tulpn | grep LISTEN i see that gvmd is listening on 9390
tcp LISTEN 0 512 0.0.0.0:9390 0.0.0.0:* users:(("gvmd",pid=137277,fd=4))

The status of my gmvd service says:
gvmd.service: Can't open PID file /opt/gvm/var/run/gvmd.pid (yet?) after start: Operation not permitted
The owner in /opt/gvm/var/run is the non privileged user gvm, additionally i set the permissions to 755.

Is there anything else i could check?

alessio · August 18, 2021, 9:28am

Is there nothing else i can do? I am afraid i need to install everything again

alessio · August 26, 2021, 1:15pm

Hi,
has someone an idea? This problem is really bugging me

best regards

Lukas · August 26, 2021, 1:35pm

You need to ensure the permissions here as well.
It might be better to follow LSB 4.9. /usr/local : Local hierarchy

and still use /var/run from the system.

Installing software from the source without setting up a package & repository might be complicated. As well you need to deal with the permissions starting from the “/” fs-root.

bricks · August 26, 2021, 2:21pm

It seems you are building using some guide from the internet to build from source. It is best to use https://greenbone.github.io/docs/ instead.

bricks · August 26, 2021, 2:23pm

Just a small hint from another topic in this forum the gvm user needs read (and execute permissions for directories) for the whole path to /opt/gvm/var/run.

alessio · August 28, 2021, 12:56pm

Hi,
thank you for the answers. I checked the paths and set permissions to 755 (whole path starting from root).
Here a screen of the content in /opt/gvm/var/run/
grafik

Still, the gsad.log says the gvmd.socket refuses the connection.
What i forgot to mention is, this happens since i needed to reboot the server due to new certificates.

best regards

alessio · September 12, 2021, 5:24pm

had some time to deal wiht this problem again. I figured out that gvmd refuses any connectuons because of parameter -a in this line of my gvmd service unit:
ExecStart=/opt/gvm/sbin/gvmd -a 0.0.0.0--osp-vt-update=/opt/gvm/var/run/ospd.sock
Without this line it works like a charm but my TLS connection does not work anymore, unfortunately i need TLS to use gmp remotely.

Can anyone help?

cfi · September 13, 2021, 8:48am

AFAIK if you’re changing gvmd to listen on a TCP socket instead of an Unix socket you need to also tell gsad to connect via a TCP socket and not via Unix socket (which is the default). Otherwise the The Greenbone Vulnerability Manager service is not responding. is showing up while logging in.

This could help:

$ gsad --help | egrep "m(listen|port)"

  --mlisten=<address>                    Manager address.
  -m, --mport=<number>                   Use manager port number <number>.

alessio · September 14, 2021, 1:45pm

Hi,
currently my gvmd.service starts with:
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock --port=9390 -a 0.0.0.0

so its listening on port 9390 for every ip adress.

my gsad.service runs with
ExecStart=/opt/gvm/sbin/gsad --mlisten=<ip_of_gvm> --mport=9390 --drop-privileges=gvm --ssl-private-key=/opt/gvm/sbin/certs/private.pem --ssl-certificate=/opt/gvm/sbin/certs/certificate.pem --timeout=3600

Heres my gvm-tools.conf for gmp authorization and my unixsocket

[gmp]
username=<...>
password=<...>

[unixsocket]
socketpath=/opt/gvm/var/run/gvmd.sock

My TLS works but my gvmd is not responding if i try to login. If i remove in my gvmd.service the listen address and the port, my TLS does not work anymore but i am able to login and my gvmd responds.

Did i miss something?

If it helps, heres my netstat of my listening ports

netstat -tulpn | grep LISTEN
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      934/redis-server 12
tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN      370943/gvmd: Waitin
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      856/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      919/sshd: /usr/sbin
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      973/postgres
tcp6       0      0 :::443                  :::*                    LISTEN      946/gsad
tcp6       0      0 ::1:6379                :::*                    LISTEN      934/redis-server 12
tcp6       0      0 :::9392                 :::*                    LISTEN      1916/gsad
tcp6       0      0 :::22                   :::*                    LISTEN      919/sshd: /usr/sbin

alessio · September 23, 2021, 4:29pm

Hi,
if someone has a solution or a hint i would be glad. I am still struggling with this.