-
-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openvas distributed architecture , master slave setup with common postgress database #109
Comments
I've looked at this before, but not gotten that far with it. |
Hi @immauss , Will it be possible for exposing these available ports [ GSA Web Interface (8080:9392) , 22/tcp for SSH, 9390/tcp GVM API Client, 5432/tcp PGSQL Client ] in your multi-container build, then this multi-container build will be more portable and scalable. Please check feasibility in latest migration with pg13 |
So ... I was hoping that GB would get close to this with their upcoming container implementation by adding some TCP connection options for postgresl <-> gvmd ... however, they seem to have chosen the same method I'm using which is a shared volume to hold the sockets. I'm not a fan of all the extra ssh connections to get this to work. Mainly because it seems like a lot of work and I just haven't had the time to put into it. I'm also not sure there is a huge use case for it. Most everyone I know is primarily interested in the single container option. That said ... I'm pretty sure you could still make this work using my container and some fancy docker-compose options to add anything addition and setup some things differently. I'm going to leave this open as a reminder for something I might try to do in the future, but right now, I just don't have the bandwidth. -Scott |
So GB has recently answered this still possible, and I have the directions on. |
Hi @immauss , Is there any update on requested architecture enhancements ? Thanks. |
Yes
I’ve managed to get it working, but have not fully tested it yet. I’m expecting to have some time in the next weeks to test and document and hope to make it available in early January.
…-Scott
G.E. Scott Knauss
***@***.***
On Dec 22, 2023 at 21:54 +0100, harshalgithub ***@***.***>, wrote:
Hi @immauss , Is there any update on requested architecture enhancements ?
Thanks.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi Scott,
I was researching over internet about UNIX SOCKET communications forwarding
to TCP ports, and found "SOCAT" tool which can able to forward "UNIX
Sockets" to "TCP Ports"
I was trying that in multiport containers docker-compose file given by GB
here
https://greenbone.github.io/docs/latest/22.4/container/index.html#docker-compose-file
Below services I have added extra in docker compose, to forward sockets to
port, but not able to manage to get it working on TCP communication.
…------------------------------------------------------------------------------------------
socat:
image: alpine/socat
command: "TCP-LISTEN:6400,fork UNIX-CONNECT:/run/gvmd"
depends_on:
- gvmd
socat:
image: alpine/socat
command: "TCP-LISTEN:6401,fork UNIX-CONNECT:/run/ospd"
depends_on:
- gvmd
- ospd-openvas
------------------------------------------------------------------------------------------
[docker-compose_yml.txt](https://github.com/immauss/openvas/files/13811197/docker-compose_yml.txt)
I have added docker-compose file here for reference.
You might get more idea about how to make this work, as you have more work
experience on this.
I am still researching, if I get any luck, I will share it here.
On Sat, Dec 23, 2023 at 7:02 PM GE Scott Knauss ***@***.***>
wrote:
Yes
I’ve managed to get it working, but have not fully tested it yet. I’m
expecting to have some time in the next weeks to test and document and hope
to make it available in early January.
-Scott
G.E. Scott Knauss
***@***.***
On Dec 22, 2023 at 21:54 +0100, harshalgithub ***@***.***>, wrote:
> Hi @immauss , Is there any update on requested architecture enhancements
?
> Thanks.
> —
> Reply to this email directly, view it on GitHub, or unsubscribe.
> You are receiving this because you were mentioned.Message ID:
***@***.***>
—
Reply to this email directly, view it on GitHub
<#109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACGZI2PL6IHFRFGSZB2KPG3YK3MN3AVCNFSM5SN7FFNKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWHAZDSNJWGE3A>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
It's actually easier than that. The container will be run as a remote. The remote is added as a another scanner to the Master. You can then configure scan to run from the remote scanner. It's a documented feature .... Well, it's not documented well. I have it working, but need to write docs and some more scripts to make setup easier. The tricky part, which isn't that tricky ... I've also not been able to do any testing with it yet either. I got side tracked updating the base image and resolving a few bugs. |
Hi Scott,
Any update on distributed setup with All open ports in TCP protocol?
…On Wed, Jan 3, 2024 at 3:57 AM GE Scott Knauss ***@***.***> wrote:
It's actually easier than that.
The container will be run as a remote.
The remote is added as a another scanner to the Master.
You can then configure scan to run from the remote scanner.
It's a documented feature .... Well, it's not documented well.
I have it working, but need to write docs and some more scripts to make
setup easier.
The tricky part, which isn't that tricky ...
is getting the certs from the master to the remote.
I've also not been able to do any testing with it yet either. I got side
tracked updating the base image and resolving a few bugs.
—
Reply to this email directly, view it on GitHub
<#109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACGZI2KPELCU4H7SPOPAM6TYMSCT3AVCNFSM5SN7FFNKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBXGQ3DGOJVHAZQ>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
Unfortunately, #242 has eaten up a ton of my time. BTW ... one of the issues with everything on tcp, is still the postgres setup. Greenbone added a TCP connection option, but does not currently have a mechanism for setting the username/password for connecting to postgres. In my mind, this is a serious security concern when gvmd and postgresql are not co-located. -Scott |
Hi Scott,
Can you still share the Docker compose Files for multi distributed TCP
setup in separate repo folder, if you can.
Thanks,
Harshal
…On Thu, Feb 8, 2024 at 4:31 PM GE Scott Knauss ***@***.***> wrote:
Unfortunately, #242 <#242> has
eaten up a ton of my time.
BTW ... one of the issues with everything on tcp, is still the postgres
setup. Greenbone added a TCP connection option, but does not currently have
a mechanism for setting the username/password for connecting to postgres.
In my mind, this is a serious security concern when gvmd and postgresql are
not co-located.
-Scott
—
Reply to this email directly, view it on GitHub
<#109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACGZI2IPPYGVA4HAMEE3W73YSSWBZAVCNFSM5SN7FFNKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJTGM4DGNBTHA2A>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
I don't currently have on that is purely TCP. The multi container compose file I do have is in the repo, but still shares a volume for sockets. -Scott |
==========================
@immauss Sir,
If Possible, Please check below architecture diagram, Also Request you to find below kind of setup for MultiContainer ( mc ) build so it will be kind of Master-Slave ( Master will be Administrator GUI of GVM and Slave will be remote scanner only which is reachable via SSH connections) architecture,
https://securecompliance.gitbook.io/projects/gvm_image
https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker[](https://user-images.githubusercontent.com/9278569/148571575-dcf82388-886a-467a-b4e0-cc66bda883ea.png)
image
Will it be possible to make above kind of setup for your "mc" build, single Docker file/docker compose file.
==========================
The text was updated successfully, but these errors were encountered: