Greenbone Community Containers 21.4#

Running the Greenbone Community Edition from containers requires knowledge about:

Additionally, a basic knowledge about the architecture of the Greenbone Community Edition is required to understand the setup.

Note

This guide is intended for users who want to test the newest features and/or want to get familiar with the Greenbone Community Edition. It is not intended for production setups.

Currently the docs support the following distributions

  • Debian stable (bullseye)

  • Ubuntu 22.04 LTS

  • Fedora 35 and 36

  • CentOS 9 Stream

Most likely, other Debian derivatives like Mint and Kali will also work with only minor adjustments required.

Introduction#

This document provides a guide for running the Greenbone Community Edition from pre-build container images using Docker. It consists of a distributed service architecture, where each service is run in a dedicated container. The orchestration of these services is done via a docker-compose file.

With the Greenbone Community Containers, it is possible to scan your local network independent of the underlying operating system, installed software and tool chains.

Hardware Requirements#

Minimal:

  • CPU Cores: 2

  • Random-Access Memory: 4GB

  • Hard Disk: 20GB free

Recommended:

  • CPU Cores: 4

  • Random-Access Memory: 8GB

  • Hard Disk: 60GB free

Prerequisites#

Note

Please follow the guide step by step. Later steps might require settings or output of a previous command.

The command sudo is used for executing commands that require privileged access on the system.

Install curl#

curl is required for downloading files from this guide.

Install curl Debian package#
sudo apt install curl

Installing Docker#

docker is required for running the services within containers. Docker can be installed by running:

Install docker Debian/Ubuntu package#
sudo apt install docker.io

Installing docker-compose#

docker-compose version 1.27.0 or newer is required for starting and connecting the services of the Greenbone Community Edition. The description of the service orchestration is done by using compose files. A compose file for the Greenbone Community Edition is provided later on.

Install docker-compose Debian/Ubuntu package#
sudo apt install python3 python3-pip
python3 -m pip install --user docker-compose

Setup#

To allow the current user to run docker and therefore start the containers, they must be added to the docker user group. To make the group change effective, either logout and login again or use su.

Add current user to docker group and apply group changes for the current shell environment#
sudo usermod -aG docker $USER && su $USER

For downloading the Greenbone Community Edition docker compose file, a destination directory should be created.

Create download directory#
export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR

Docker Compose File#

To run the Greenbone Community Edition with containers, the following compose file should be used:

Docker Compose File#
services:
  vulnerability-tests:
    image: greenbone/vulnerability-tests
    environment:
      STORAGE_PATH: /var/lib/openvas/21.04/vt-data/nasl
    volumes:
      - vt_data_vol:/mnt

  scap-data:
    image: greenbone/scap-data
    volumes:
      - scap_data_vol:/mnt

  cert-bund-data:
    image: greenbone/cert-bund-data
    volumes:
      - cert_data_vol:/mnt

  dfn-cert-data:
    image: greenbone/dfn-cert-data
    volumes:
      - cert_data_vol:/mnt
    depends_on:
      - cert-bund-data

  data-objects:
    image: greenbone/data-objects
    volumes:
      - data_objects_vol:/mnt

  report-formats:
    image: greenbone/report-formats
    volumes:
      - data_objects_vol:/mnt
    depends_on:
      - data-objects

  gpg-data:
    image: greenbone/gpg-data
    volumes:
      - gpg_data_vol:/mnt

  redis-server:
    image: greenbone/redis-server
    restart: on-failure
    volumes:
      - redis_socket_vol:/run/redis/

  pg-gvm:
    image: greenbone/pg-gvm:oldstable
    restart: on-failure
    volumes:
      - psql_data_vol:/var/lib/postgresql
      - psql_socket_vol:/var/run/postgresql

  gvmd:
    image: greenbone/gvmd:oldstable
    restart: on-failure
    volumes:
      - gvmd_data_vol:/var/lib/gvm
      - scap_data_vol:/var/lib/gvm/scap-data/
      - cert_data_vol:/var/lib/gvm/cert-data
      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
      - vt_data_vol:/var/lib/openvas/plugins
      - psql_data_vol:/var/lib/postgresql
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
      - psql_socket_vol:/var/run/postgresql
    depends_on:
      pg-gvm:
        condition: service_started
      scap-data:
        condition: service_completed_successfully
      cert-bund-data:
        condition: service_completed_successfully
      dfn-cert-data:
        condition: service_completed_successfully
      data-objects:
        condition: service_completed_successfully
      report-formats:
        condition: service_completed_successfully

  gsa:
    image: greenbone/gsa:oldstable
    restart: on-failure
    ports:
      - 9392:80
    volumes:
      - gvmd_socket_vol:/run/gvmd
    depends_on:
      - gvmd

  ospd-openvas:
    image: greenbone/ospd-openvas:oldstable
    restart: on-failure
    init: true
    hostname: ospd-openvas.local
    cap_add:
      - NET_ADMIN # for capturing packages in promiscuous mode
      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    volumes:
      - gpg_data_vol:/etc/openvas/gnupg
      - vt_data_vol:/var/lib/openvas/plugins
      - ospd_openvas_socket_vol:/run/ospd
      - redis_socket_vol:/run/redis/
    depends_on:
      redis-server:
        condition: service_started
      gpg-data:
        condition: service_completed_successfully
      vulnerability-tests:
        condition: service_completed_successfully

  gvm-tools:
    image: greenbone/gvm-tools
    volumes:
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
    depends_on:
      - gvmd
      - ospd-openvas

volumes:
  gpg_data_vol:
  scap_data_vol:
  cert_data_vol:
  data_objects_vol:
  gvmd_data_vol:
  psql_data_vol:
  vt_data_vol:
  psql_socket_vol:
  gvmd_socket_vol:
  ospd_openvas_socket_vol:
  redis_socket_vol:

Download#

It is possible to just copy and paste the docker compose file. Alternatively, it can be downloaded with the following command directly:

Downloading docker-compose file#
cd $DOWNLOAD_DIR && curl -f -L https://greenbone.github.io/docs/latest/_static/docker-compose-21.4.yml -o docker-compose.yml

Description#

The following table describes the provided containers of the docker compose file and their services in detail.

Container

Service

Description

redis-server

Redis Server

A redis server with an adjusted config. Used to store VT data and scan results by the scanner.

pg-gvm

postgresql

A PostgreSQL database cluster setup for use with gvmd. The actual data is stored in the psql_data_vol volume.

gvmd

gvmd

A container for gvmd that uses unix sockets in volumes to communicate with the PostgreSQL database and ospd-openvas scanner. The downloaded feed data is stored in the gvmd_data_vol volume. To verify the feed data, the GPG keyring from the gpg_data_vol is used.

gsa

gsad

A container running the gsad web server for providing the web application GSA. The web interface is available at localhost on port 9392. For communication with gvmd, a unix socket in a volume is used.

ospd-openvas

ospd-openvas

A container providing the vulnerability scanner. The VT data from the feed is stored in the vt_data_vol volume. To verify the feed data, the GPG keyring from the gpg_data_vol is used. The connection to the redis server is established via a unix socket in a volume.

gvm-tools

A container providing the gvm-tools CLI to query and control gvmd and ospd-openvas.

gpg-data

A container that copies a GPG keyring with Greenbone’s public signing keys into the gpg_data_vol volume on startup. It exits afterwards.

vulnerability-tests

A container that copies vulnerability tests (VTs) into the vt_data_vol volume on startup. Shows the license and exists afterwards.

scap-data

A container that copies CVE and CPE data into the scap_data_vol volume on startup. Shows the license and exists afterwards.

cert-bund-data

A container that copies CERT-Bund data into the cert_data_vol volume on startup. Shows the license and exists afterwards.

dfn-cert-data

A container that copies DFN-CERT data into the cert_data_vol volume on startup. Shows the license and exists afterwards.

data-objects

A container that copies scan configs, compliance policies and port lists into the data_objects_vol volume on startup. Shows the license and exists afterwards.

report-formats

A container that copies report formats into the data_objects_vol volume on startup. Shows the license and exists afterwards.

Starting the Greenbone Community Containers#

Using the docker compose file, the container images can be downloaded (pulled) and the containers can be started in the background.

Downloading the Greenbone Community Containers#
docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition pull
Starting the Greenbone Community Containers#
docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition up -d

To get a continuous stream of the log output of all services, run the following command:

Show log messages of all services from the running containers#
docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition logs -f

The log stream can be stopped by pressing Ctrl-C.

Setting up an Admin User#

Warning

By default, a user admin with the password admin is created. This is insecure and it is highly recommended to set a new password.

To update the administrator user with a password of your choice instead of the generated password, the following command can be used:

Updating password of administrator user#
docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition \
    exec -u gvmd gvmd gvmd --user=admin --new-password=<password>

Starting the Vulnerability Management#

After the services have started and all data has been loaded, the Greenbone Security Assistant web interface – GSA – can be opened in the browser.

Opening Greenbone Security Assistant in the browser#
xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null &

The browser will show the login page of GSA and after using the credentials created before, it is possible to start with vulnerability scanning.

Launching Greenbone Security Assistant for the first time

Greenbone Security Assistant after logging in for the first time#

Setup and Start Script#

Note

Please remember to follow the instructions described in the Prerequisites first.

As a quick solution we provide all the commands above in a single script. This script can be downloaded with the following command directly:

Downloading setup and start script to the current working dir#
curl -f -O https://greenbone.github.io/docs/latest/_static/setup-and-start-greenbone-community-edition.sh && chmod u+x setup-and-start-greenbone-community-edition.sh

To execute the script following command must be run:

Run setup and start script#
./setup-and-start-greenbone-community-edition.sh 21.4