Using gvm-tools (gvm-cli) with 22.4 docker instance

I have a dockerized instance of openvas 22.4, installed through the guide on Greenbone Community Containers 22.4 - Greenbone Community Documentation

besides I have the web gui working, updated and with sucessfull scans, I need to user gvm-cli to manipulate openvas through the command line.

I installed gvm-tools with python 3.8 following the guide on GitHub - greenbone/gvm-tools: Remote control your Greenbone Community Edition or Greenbone Enterprise Appliance but still I cannot find where to point the socket file from docker volumes, or link it to /run so gvm-cli can talk with the installation.

the main question is, is it possible to use gvm-tools with openvas over docker?

using ubuntu 18.04 lts
kernel 4.15.0-189
install from dockerized 22.4 as mentioned

You have two possibilities either install gvm-tools in the gvmd container and run it inside or you need to adjust the volumes where the gvmd socket is stored. For the second solution you need to use a bind mount instead of a volume mount to /run/gvmd in the gvmd container. And you need to ensure that the user with the userid 1001 can read and write to the mounted directory.

3 Likes

Thanks for the prompt response

I tryed inside the greenbone/gvmd:stable containter to install as suggested here https://github.com/greenbone/gvm-tools#installation

sorry if its a basic questioning, but how could I install gvm-cli inside the container?

ā€“ edit
the container for gvmd already ahve python3 installed as default, followed this steps to install it

apt-get install python3-pip
pip3 install --user gvm-tools

will test now to use the cli on the machine

This works for me

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition exec gvmd /bin/bash
apt update
apt install python3-pip
python3 -m pip install gvm-tools
gosu gvmd bash
gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml "<get_version/>" --pretty
3 Likes

Have installed inside the container but still cannot run the binary from outside, as it claims cannot be run as root.

ran again pip3 install gvm-tools (without the --user flag)

and added as suggested on the warning:
WARNING: The scripts gvm-cli, gvm-pyshell and gvm-script are installed in ā€˜/root/.local/binā€™ which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

with
root@a1145910cfc0:/# export PATH=$PATH:/root/.local/bin

but neither from outside the container with
docker exec -u 0 -it a1145910cfc0 gvm-cli
OCI runtime exec failed: exec failed: unable to start container process: exec: ā€œgvm-cliā€: executable file not found in $PATH: unknown

or inside it, I cannot use the gvm-cli command:
root@a1145910cfc0:/home# gvm-cli
Traceback (most recent call last):
File ā€œ/root/.local/bin/gvm-cliā€, line 8, in
sys.exit(main())
File ā€œ/root/.local/lib/python3.9/site-packages/gvmtools/cli.pyā€, line 64, in main
do_not_run_as_root()
File ā€œ/root/.local/lib/python3.9/site-packages/gvmtools/helper.pyā€, line 164, in do_not_run_as_root
raise RuntimeError(ā€˜This tool MUST NOT be run as root user.ā€™)
RuntimeError: This tool MUST NOT be run as root user.

will look on how to do the second solution

Updated my message for the necessary user change with gosu gvmd bash.

2 Likes

thanks for the update, I was writing in paralel to you :slight_smile:

but yet still cannot call the binary:
docker-compose -f /home/administrator/greenbone-community-container/docker-compose-22.4.yml -p greenbone-community-edition exec gvmd /bin/bash
root@a1145910cfc0:/# apt update
Hit:1 http://deb.debian.org/debian stable InRelease
Hit:2 http://deb.debian.org/debian-security stable-security InRelease
Hit:3 http://deb.debian.org/debian stable-updates InRelease
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
All packages are up to date.
root@a1145910cfc0:/# apt install python3-pip
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
python3-pip is already the newest version (20.3.4-4+deb11u1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@a1145910cfc0:/# python3 -m pip install gvm-tools
Requirement already satisfied: gvm-tools in /root/.local/lib/python3.9/site-packages (22.6.1)
Requirement already satisfied: python-gvm>=21.5 in /root/.local/lib/python3.9/site-packages (from gvm-tools) (22.7.0)
Requirement already satisfied: paramiko<3.0.0,>=2.7.1 in /root/.local/lib/python3.9/site-packages (from python-gvm>=21.5->gvm-tools) (2.11.0)
Requirement already satisfied: lxml<5.0.0,>=4.5.0 in /root/.local/lib/python3.9/site-packages (from python-gvm>=21.5->gvm-tools) (4.9.1)
Requirement already satisfied: defusedxml<0.8,>=0.6 in /root/.local/lib/python3.9/site-packages (from python-gvm>=21.5->gvm-tools) (0.7.1)
Requirement already satisfied: bcrypt>=3.1.3 in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (3.2.2)
Requirement already satisfied: six in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (1.16.0)
Requirement already satisfied: cryptography>=2.5 in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (37.0.4)
Requirement already satisfied: pynacl>=1.0.1 in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (1.5.0)
Requirement already satisfied: cffi>=1.1 in /root/.local/lib/python3.9/site-packages (from bcrypt>=3.1.3->paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (1.15.1)
Requirement already satisfied: pycparser in /root/.local/lib/python3.9/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (2.21)
root@a1145910cfc0:/# gosu gvmd bash
gvmd@a1145910cfc0:/$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml ā€œ<get_version/>ā€ --pretty
bash: gvm-cli: command not found
gvmd@a1145910cfc0:/$ env
HOSTNAME=a1145910cfc0
PWD=/
HOME=/home/gvmd
TERM=xterm
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
gvmd@a1145910cfc0:/$ export PATH=$PATH:/root/.local/bin
gvmd@a1145910cfc0:/$ env
HOSTNAME=a1145910cfc0
PWD=/
HOME=/home/gvmd
TERM=xterm
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
_=/usr/bin/env
gvmd@a1145910cfc0:/$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml ā€œ<get_version/>ā€ --pretty
bash: gvm-cli: command not found

as well from outside the container:
docker exec -u 0 -it a1145910cfc0 gvm-cli
OCI runtime exec failed: exec failed: unable to start container process: exec: ā€œgvm-cliā€: executable file not found in $PATH: unknown

did I miss something?

Could you remove the container and just start from scratch? You broke the installation while running pip as root last time.

2 Likes

yes, restored a snapshot and installed again then could run inside the container

now trying to fix how to run gvm-cli from the host machine directly, as still not working.

running from inside the gvmd container its ok:
gvmd@2f8536d8bd8f:/$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml ā€œ<get_version/>ā€ --pretty
Enter username: vw
Enter password for vw:
<get_version_response status=ā€œ200ā€ status_text=ā€œOKā€>
22.4
</get_version_response>

from outside, the file dont exists,
$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml ā€œ<get_version/>ā€ --pretty
ERROR:gvmtools.cli:Socket /run/gvmd/gvmd.sock does not exist

as you mentioned, if on the composer.yml I change this block:
gvmd:
image: greenbone/gvmd:stable
restart: on-failure
volumes:
- gvmd_data_vol:/var/lib/gvm
- vt_data_vol:/var/lib/openvas
- psql_data_vol:/var/lib/postgresql
- gvmd_socket_vol:/run/gvmd
- ospd_openvas_socket_vol:/run/ospd
- psql_socket_vol:/var/run/postgresql
depends_on:
- pg-gvm

to something like this:
gvmd:
image: greenbone/gvmd:stable
restart: on-failure
volumes:
- gvmd_data_vol:/var/lib/gvm
- vt_data_vol:/var/lib/openvas
- psql_data_vol:/var/lib/postgresql
- /run/gvmd:gvmd_socket_vol
- ospd_openvas_socket_vol:/run/ospd
- psql_socket_vol:/var/run/postgresql
depends_on:
- pg-gvm

would change the mount point to be the external path?

My main goal here is to be possible to call gvm-cli from the machine straight away without calling the container, or using docker exec, as it also dont work properly:
$ docker exec --user gvmd 2f8536d8bd8f gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml ā€œ<get_version/>ā€ --pretty
Enter username: ERROR:gvmtools.cli:EOF when reading a line

As I wrote you need a bind mount. The short syntax is /path/to/your/dir/on/the/host:/path/in/the/container for example /tmp/greenbone/run/gvmd:/run/gvmd. Afterwards you can access the gvmd socket at /tmp/greenbone/run/gvmd/gvmd.sock on the host. And please be aware that the user 1001 need to be able to read and write to /tmp/greenbone/run/gvmd/. Also the directory must exists before starting the container.

1 Like

Hi,

I am having pretty much the same issue, I would like to access the socket outside the container (from my host), but am having trouble mounting the bind volume, added the following bind mount to the docker-compose file:

  gvmd:
    image: greenbone/gvmd:stable
    restart: on-failure
    volumes:
      - gvmd_data_vol:/var/lib/gvm
      - vt_data_vol:/var/lib/openvas
      - psql_data_vol:/var/lib/postgresql
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
      - psql_socket_vol:/var/run/postgresql
      - type: bind 
        source: /home/<user>/greenbone-community-container/socket/gvmd
        target: /run/gmvd
    depends_on:
      - pg-gvm

But am being met with an error when starting the containers:

ERROR: for greenbone-community-edition_gvmd_1 Cannot create container for service gvmd: invalid mount config for type "bind": bind source path does not exist: /run/gvmd

Now could I have got the syntax wrong in the compose file? or is this an issue with finding the socket path inside the container, as far as I can see it should be obvious enough as itā€™s listed under volumes: like gvmd_socket_vol:/run/gvmd. Iā€™m not too sure where this is going wrong. any help would be appreciated.

You need to remove the old volume mount of course. Also ensure that

exists and the user and group 1001 have read and write permissions on this directory.

1 Like

So in removing the old volume, the GSA container cannot talk to gvmd_1 as it cannot connect to the socketā€¦

gsa_1           | gsad  gmp:WARNING:2022-08-16 12h40.40 utc:13: Failed to connect to server at /run/gvmd/gvmd.sock: Connection refused
gsa_1           | gsad  gmp:WARNING:2022-08-16 12h40.40 utc:13: Authentication failure for 'admin' from 10.1.10.164. Status was 1.

as this line - gvmd_socket_vol:/run/gvmd creates a docker socket, so would it be easier for me to create another contain which contains the external application that would interact with GVMD. My goal here is to build an API that can interact with GVMD via a ā€œcustomer facingā€ web UI.

Of course you need to change that line for the gsad container too. Just mount the same dir into gsad.

I thought that right after I made the post, however itā€™s not worked, still get the same error:

gsa_1           | gsad  gmp:WARNING:2022-08-16 13h53.13 utc:12: Failed to connect to server at /run/gvmd/gvmd.sock: No such file or directory
gsa_1           | gsad  gmp:WARNING:2022-08-16 13h53.13 utc:12: Authentication failure for 'admin' from 10.1.10.164. Status was 1.

I have only added the bind mount to gvmd and gsa:

      - type: bind 
        source: /home/adam/greenbone-community-container/socket/gvmd
        target: /run/gmvd

no socket file is created the /home/<user>/greenbone-community-container/socket/gvmd directory. Docker is very new to me so Iā€™m not very well caught up on how everything fits together.

Iā€™ve just created a PR to add an explanation to our docs Add: Add section about exposing gvmd unix socket to host by bjoernricks Ā· Pull Request #163 Ā· greenbone/docs Ā· GitHub

3 Likes

oh fantastic, thanks for the rapid response to this. Much appreciated.

3 Likes