Using gvm-tools (gvm-cli) with 22.4 docker instance

I have a dockerized instance of openvas 22.4, installed through the guide on https://greenbone.github.io/docs/latest/22.4/container/index.html

besides I have the web gui working, updated and with sucessfull scans, I need to user gvm-cli to manipulate openvas through the command line.

I installed gvm-tools with python 3.8 following the guide on https://github.com/greenbone/gvm-tools but still I cannot find where to point the socket file from docker volumes, or link it to /run so gvm-cli can talk with the installation.

the main question is, is it possible to use gvm-tools with openvas over docker?

using ubuntu 18.04 lts
kernel 4.15.0-189
install from dockerized 22.4 as mentioned

You have two possibilities either install gvm-tools in the gvmd container and run it inside or you need to adjust the volumes where the gvmd socket is stored. For the second solution you need to use a bind mount instead of a volume mount to /run/gvmd in the gvmd container. And you need to ensure that the user with the userid 1001 can read and write to the mounted directory.

Thanks for the prompt response

I tryed inside the greenbone/gvmd:stable containter to install as suggested here https://github.com/greenbone/gvm-tools#installation

sorry if its a basic questioning, but how could I install gvm-cli inside the container?

– edit
the container for gvmd already ahve python3 installed as default, followed this steps to install it

apt-get install python3-pip
pip3 install --user gvm-tools

will test now to use the cli on the machine

This works for me

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition exec gvmd /bin/bash
apt update
apt install python3-pip
python3 -m pip install gvm-tools
gosu gvmd bash
gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml "<get_version/>" --pretty
1 Like

Have installed inside the container but still cannot run the binary from outside, as it claims cannot be run as root.

ran again pip3 install gvm-tools (without the --user flag)

and added as suggested on the warning:
WARNING: The scripts gvm-cli, gvm-pyshell and gvm-script are installed in ‘/root/.local/bin’ which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

with
root@a1145910cfc0:/# export PATH=$PATH:/root/.local/bin

but neither from outside the container with
docker exec -u 0 -it a1145910cfc0 gvm-cli
OCI runtime exec failed: exec failed: unable to start container process: exec: “gvm-cli”: executable file not found in $PATH: unknown

or inside it, I cannot use the gvm-cli command:
root@a1145910cfc0:/home# gvm-cli
Traceback (most recent call last):
File “/root/.local/bin/gvm-cli”, line 8, in
sys.exit(main())
File “/root/.local/lib/python3.9/site-packages/gvmtools/cli.py”, line 64, in main
do_not_run_as_root()
File “/root/.local/lib/python3.9/site-packages/gvmtools/helper.py”, line 164, in do_not_run_as_root
raise RuntimeError(‘This tool MUST NOT be run as root user.’)
RuntimeError: This tool MUST NOT be run as root user.

will look on how to do the second solution

Updated my message for the necessary user change with gosu gvmd bash.

thanks for the update, I was writing in paralel to you :slight_smile:

but yet still cannot call the binary:
docker-compose -f /home/administrator/greenbone-community-container/docker-compose-22.4.yml -p greenbone-community-edition exec gvmd /bin/bash
root@a1145910cfc0:/# apt update
Hit:1 http://deb.debian.org/debian stable InRelease
Hit:2 http://deb.debian.org/debian-security stable-security InRelease
Hit:3 http://deb.debian.org/debian stable-updates InRelease
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
All packages are up to date.
root@a1145910cfc0:/# apt install python3-pip
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
python3-pip is already the newest version (20.3.4-4+deb11u1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@a1145910cfc0:/# python3 -m pip install gvm-tools
Requirement already satisfied: gvm-tools in /root/.local/lib/python3.9/site-packages (22.6.1)
Requirement already satisfied: python-gvm>=21.5 in /root/.local/lib/python3.9/site-packages (from gvm-tools) (22.7.0)
Requirement already satisfied: paramiko<3.0.0,>=2.7.1 in /root/.local/lib/python3.9/site-packages (from python-gvm>=21.5->gvm-tools) (2.11.0)
Requirement already satisfied: lxml<5.0.0,>=4.5.0 in /root/.local/lib/python3.9/site-packages (from python-gvm>=21.5->gvm-tools) (4.9.1)
Requirement already satisfied: defusedxml<0.8,>=0.6 in /root/.local/lib/python3.9/site-packages (from python-gvm>=21.5->gvm-tools) (0.7.1)
Requirement already satisfied: bcrypt>=3.1.3 in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (3.2.2)
Requirement already satisfied: six in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (1.16.0)
Requirement already satisfied: cryptography>=2.5 in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (37.0.4)
Requirement already satisfied: pynacl>=1.0.1 in /root/.local/lib/python3.9/site-packages (from paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (1.5.0)
Requirement already satisfied: cffi>=1.1 in /root/.local/lib/python3.9/site-packages (from bcrypt>=3.1.3->paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (1.15.1)
Requirement already satisfied: pycparser in /root/.local/lib/python3.9/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko<3.0.0,>=2.7.1->python-gvm>=21.5->gvm-tools) (2.21)
root@a1145910cfc0:/# gosu gvmd bash
gvmd@a1145910cfc0:/$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml “<get_version/>” --pretty
bash: gvm-cli: command not found
gvmd@a1145910cfc0:/$ env
HOSTNAME=a1145910cfc0
PWD=/
HOME=/home/gvmd
TERM=xterm
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
gvmd@a1145910cfc0:/$ export PATH=$PATH:/root/.local/bin
gvmd@a1145910cfc0:/$ env
HOSTNAME=a1145910cfc0
PWD=/
HOME=/home/gvmd
TERM=xterm
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
_=/usr/bin/env
gvmd@a1145910cfc0:/$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml “<get_version/>” --pretty
bash: gvm-cli: command not found

as well from outside the container:
docker exec -u 0 -it a1145910cfc0 gvm-cli
OCI runtime exec failed: exec failed: unable to start container process: exec: “gvm-cli”: executable file not found in $PATH: unknown

did I miss something?

Could you remove the container and just start from scratch? You broke the installation while running pip as root last time.

yes, restored a snapshot and installed again then could run inside the container

now trying to fix how to run gvm-cli from the host machine directly, as still not working.

running from inside the gvmd container its ok:
gvmd@2f8536d8bd8f:/$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml “<get_version/>” --pretty
Enter username: vw
Enter password for vw:
<get_version_response status=“200” status_text=“OK”>
22.4
</get_version_response>

from outside, the file dont exists,
$ gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml “<get_version/>” --pretty
ERROR:gvmtools.cli:Socket /run/gvmd/gvmd.sock does not exist

as you mentioned, if on the composer.yml I change this block:
gvmd:
image: greenbone/gvmd:stable
restart: on-failure
volumes:
- gvmd_data_vol:/var/lib/gvm
- vt_data_vol:/var/lib/openvas
- psql_data_vol:/var/lib/postgresql
- gvmd_socket_vol:/run/gvmd
- ospd_openvas_socket_vol:/run/ospd
- psql_socket_vol:/var/run/postgresql
depends_on:
- pg-gvm

to something like this:
gvmd:
image: greenbone/gvmd:stable
restart: on-failure
volumes:
- gvmd_data_vol:/var/lib/gvm
- vt_data_vol:/var/lib/openvas
- psql_data_vol:/var/lib/postgresql
- /run/gvmd:gvmd_socket_vol
- ospd_openvas_socket_vol:/run/ospd
- psql_socket_vol:/var/run/postgresql
depends_on:
- pg-gvm

would change the mount point to be the external path?

My main goal here is to be possible to call gvm-cli from the machine straight away without calling the container, or using docker exec, as it also dont work properly:
$ docker exec --user gvmd 2f8536d8bd8f gvm-cli socket --socketpath /run/gvmd/gvmd.sock --xml “<get_version/>” --pretty
Enter username: ERROR:gvmtools.cli:EOF when reading a line

As I wrote you need a bind mount. The short syntax is /path/to/your/dir/on/the/host:/path/in/the/container for example /tmp/greenbone/run/gvmd:/run/gvmd. Afterwards you can access the gvmd socket at /tmp/greenbone/run/gvmd/gvmd.sock on the host. And please be aware that the user 1001 need to be able to read and write to /tmp/greenbone/run/gvmd/. Also the directory must exists before starting the container.