Greenbone Community Containers 22.4#

Running the Greenbone Community Edition from containers requires knowledge about:

Using a terminal
Using docker
Running services via docker-compose

Additionally, a basic knowledge about the architecture of the Greenbone Community Edition is required to understand the setup.

Note

This guide is intended for users who want to test the newest features and/or want to get familiar with the Greenbone Community Edition. It is not intended for production setups.

Currently the docs support the following distributions

Debian stable (bullseye)
Ubuntu 22.04 LTS
Fedora 35 and 36
CentOS 9 Stream

Most likely, other Debian derivatives like Mint and Kali will also work with only minor adjustments required.

Introduction#

This document provides a guide for running the Greenbone Community Edition from pre-build container images using Docker. It consists of a distributed service architecture, where each service is run in a dedicated container. The orchestration of these services is done via a docker-compose file.

With the Greenbone Community Containers, it is possible to scan your local network independent of the underlying operating system, installed software and tool chains.

Hardware Requirements#

Minimal:

CPU Cores: 2
Random-Access Memory: 4GB
Hard Disk: 20GB free

Recommended:

CPU Cores: 4
Random-Access Memory: 8GB
Hard Disk: 60GB free

Prerequisites#

Note

Please follow the guide step by step. Later steps might require settings or output of a previous command.

The command sudo is used for executing commands that require privileged access on the system.

Install curl#

curl is required for downloading files from this guide.

Install curl Debian package#

sudo apt install curl

Install curl Fedora/CentOS package#

sudo dnf install curl

Installing Docker#

docker is required for running the services within containers. Docker can be installed by running:

Install docker Debian/Ubuntu package#

sudo apt install docker.io

Install docker Fedora package#

sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
sudo dnf install -y docker-ce docker-ce-cli containerd.io

Install docker Fedora package#

sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install -y docker-ce docker-ce-cli containerd.io

Installing docker-compose#

docker-compose version 1.27.0 or newer is required for starting and connecting the services of the Greenbone Community Edition. The description of the service orchestration is done by using compose files. A compose file for the Greenbone Community Edition is provided later on.

Install docker-compose Debian/Ubuntu package#

sudo apt install python3 python3-pip
python3 -m pip install --user docker-compose

Install docker-compose Fedora/CentOS package#

sudo dnf install python3-pip
python3 -m pip install --user docker-compose

Setup#

To allow the current user to run docker and therefore start the containers, they must be added to the docker user group. To make the group change effective, either logout and login again or use su.

Add current user to docker group and apply group changes for the current shell environment#

sudo usermod -aG docker $USER && su $USER

For downloading the Greenbone Community Edition docker compose file, a destination directory should be created.

Create download directory#

export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR

Docker Compose File#

To run the Greenbone Community Edition with containers, the following compose file should be used:

Docker Compose File#

services:
  vulnerability-tests:
    image: greenbone/vulnerability-tests
    environment:
      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
    volumes:
      - vt_data_vol:/mnt

  notus-data:
    image: greenbone/notus-data
    volumes:
      - notus_data_vol:/mnt

  scap-data:
    image: greenbone/scap-data
    volumes:
      - scap_data_vol:/mnt

  cert-bund-data:
    image: greenbone/cert-bund-data
    volumes:
      - cert_data_vol:/mnt

  dfn-cert-data:
    image: greenbone/dfn-cert-data
    volumes:
      - cert_data_vol:/mnt
    depends_on:
      - cert-bund-data

  data-objects:
    image: greenbone/data-objects
    volumes:
      - data_objects_vol:/mnt

  report-formats:
    image: greenbone/report-formats
    volumes:
      - data_objects_vol:/mnt
    depends_on:
      - data-objects

  gpg-data:
    image: greenbone/gpg-data
    volumes:
      - gpg_data_vol:/mnt

  redis-server:
    image: greenbone/redis-server
    restart: on-failure
    volumes:
      - redis_socket_vol:/run/redis/

  pg-gvm:
    image: greenbone/pg-gvm:stable
    restart: on-failure
    volumes:
      - psql_data_vol:/var/lib/postgresql
      - psql_socket_vol:/var/run/postgresql

  gvmd:
    image: greenbone/gvmd:stable
    restart: on-failure
    volumes:
      - gvmd_data_vol:/var/lib/gvm
      - scap_data_vol:/var/lib/gvm/scap-data/
      - cert_data_vol:/var/lib/gvm/cert-data
      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
      - vt_data_vol:/var/lib/openvas/plugins
      - psql_data_vol:/var/lib/postgresql
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
      - psql_socket_vol:/var/run/postgresql
    depends_on:
      pg-gvm:
        condition: service_started
      scap-data:
        condition: service_completed_successfully
      cert-bund-data:
        condition: service_completed_successfully
      dfn-cert-data:
        condition: service_completed_successfully
      data-objects:
        condition: service_completed_successfully
      report-formats:
        condition: service_completed_successfully

  gsa:
    image: greenbone/gsa:stable
    restart: on-failure
    ports:
      - 9392:80
    volumes:
      - gvmd_socket_vol:/run/gvmd
    depends_on:
      - gvmd

  ospd-openvas:
    image: greenbone/ospd-openvas:stable
    restart: on-failure
    init: true
    hostname: ospd-openvas.local
    cap_add:
      - NET_ADMIN # for capturing packages in promiscuous mode
      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    command:
      [
        "ospd-openvas",
        "-f",
        "--config",
        "/etc/gvm/ospd-openvas.conf",
        "--mqtt-broker-address",
        "mqtt-broker",
        "--notus-feed-dir",
        "/var/lib/notus/advisories",
        "-m",
        "666"
      ]
    volumes:
      - gpg_data_vol:/etc/openvas/gnupg
      - vt_data_vol:/var/lib/openvas/plugins
      - notus_data_vol:/var/lib/notus
      - ospd_openvas_socket_vol:/run/ospd
      - redis_socket_vol:/run/redis/
    depends_on:
      redis-server:
        condition: service_started
      gpg-data:
        condition: service_completed_successfully
      vulnerability-tests:
        condition: service_completed_successfully

  mqtt-broker:
    restart: on-failure
    image: greenbone/mqtt-broker
    ports:
      - 1883:1883
    networks:
      default:
        aliases:
          - mqtt-broker
          - broker

  notus-scanner:
    restart: on-failure
    image: greenbone/notus-scanner:stable
    volumes:
      - notus_data_vol:/var/lib/notus
      - gpg_data_vol:/etc/openvas/gnupg
    environment:
      NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker
      NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products
    depends_on:
      - mqtt-broker
      - gpg-data
      - vulnerability-tests

  gvm-tools:
    image: greenbone/gvm-tools
    volumes:
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
    depends_on:
      - gvmd
      - ospd-openvas

volumes:
  gpg_data_vol:
  scap_data_vol:
  cert_data_vol:
  data_objects_vol:
  gvmd_data_vol:
  psql_data_vol:
  vt_data_vol:
  notus_data_vol:
  psql_socket_vol:
  gvmd_socket_vol:
  ospd_openvas_socket_vol:
  redis_socket_vol:

Download#

It is possible to just copy and paste the docker compose file. Alternatively, it can be downloaded with the following command directly:

Downloading docker-compose file#

cd $DOWNLOAD_DIR && curl -f -L https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml -o docker-compose.yml

Description#

The following table describes the provided containers of the docker compose file and their services in detail.

Container	Service	Description
redis-server	Redis Server	A redis server with an adjusted config. Used to store VT data and scan results by the scanner.
pg-gvm	postgresql	A PostgreSQL database cluster setup for use with gvmd. The actual data is stored in the `psql_data_vol` volume.
gvmd	gvmd	A container for gvmd that uses unix sockets in volumes to communicate with the PostgreSQL database and ospd-openvas scanner. The downloaded feed data is stored in the `gvmd_data_vol` volume. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used.
gsa	gsad	A container running the gsad web server for providing the web application GSA. The web interface is available at localhost on port 9392. For communication with gvmd, a unix socket in a volume is used.
ospd-openvas	ospd-openvas	A container providing the vulnerability scanner. The VT data from the feed is stored in the `vt_data_vol` volume. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used. The connection to the redis server is established via a unix socket in a volume.
mqtt-broker	Mosquitto MQTT Broker	An MQTT Broker used for communication between notus-scanner, openvas-scanner and ospd-openvas.
notus-scanner	notus-scanner	A container running the notus-scanner used for local security checks. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used. The feed data for notus-scanner itself is stored in the `notus_data_vol`.
gvm-tools		A container providing the gvm-tools CLI to query and control gvmd and ospd-openvas.
gpg-data		A container that copies a GPG keyring with Greenbone’s public signing keys into the `gpg_data_vol` volume on startup. It exits afterwards.
vulnerability-tests		A container that copies vulnerability tests (VTs) into the `vt_data_vol` volume on startup. Shows the license and exists afterwards.
notus-data		A container that copies vulnerability information for notus-scanner into the `notus_data_vol` volume on startup. Shows the license and exists afterwards.
scap-data		A container that copies CVE and CPE data into the `scap_data_vol` volume on startup. Shows the license and exists afterwards.
cert-bund-data		A container that copies CERT-Bund data into the `cert_data_vol` volume on startup. Shows the license and exists afterwards.
dfn-cert-data		A container that copies DFN-CERT data into the `cert_data_vol` volume on startup. Shows the license and exists afterwards.
data-objects		A container that copies scan configs, compliance policies and port lists into the `data_objects_vol` volume on startup. Shows the license and exists afterwards.
report-formats		A container that copies report formats into the `data_objects_vol` volume on startup. Shows the license and exists afterwards.

Starting the Greenbone Community Containers#

Using the docker compose file, the container images can be downloaded (pulled) and the containers can be started in the background.

Downloading the Greenbone Community Containers#

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition pull

Starting the Greenbone Community Containers#

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition up -d

To get a continuous stream of the log output of all services, run the following command:

Show log messages of all services from the running containers#

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition logs -f

The log stream can be stopped by pressing Ctrl-C.

Setting up an Admin User#

Warning

By default, a user admin with the password admin is created. This is insecure and it is highly recommended to set a new password.

To update the administrator user with a password of your choice instead of the generated password, the following command can be used:

Updating password of administrator user#

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition \
    exec -u gvmd gvmd gvmd --user=admin --new-password=<password>

Starting the Vulnerability Management#

After the services have started and all feed data has been loaded, the Greenbone Security Assistant web interface – GSA – can be opened in the browser.

Opening Greenbone Security Assistant in the browser#

xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null &

The browser will show the login page of GSA and after using the credentials created before, it is possible to start with vulnerability scanning.

Launching Greenbone Security Assistant for the first time — Greenbone Security Assistant after logging in for the first time#

Setup and Start Script#

Note

Please remember to follow the instructions described in the Prerequisites first.

As a quick solution we provide all the commands above in a single script. This script can be downloaded with the following command directly:

Downloading setup and start script to the current working dir#

curl -f -O https://greenbone.github.io/docs/latest/_static/setup-and-start-greenbone-community-edition.sh && chmod u+x setup-and-start-greenbone-community-edition.sh

To execute the script following command needs to be run

Run setup and start script#

./setup-and-start-greenbone-community-edition.sh 22.4