我正在尝试在 greenbone-community-edition 的 docker-compose 中实现一个脚本。该脚本使用位于 /run/gvmd/gvmd.sock 中的套接字建立连接并通过 python-gvm 库执行 Python 命令。
script:
image: openvasscript
restart: on-failure
ports:
- 127.0.0.1:9393:80
volumes:
- gvmd_socket_vol:/run/gvmd # should give me access to the socket
depends_on:
- gvmd
def __init__(self) -> None:
try:
path = "/run/gvmd/gvmd.sock"
self.connection = UnixSocketConnection(path=path)
assert self.socket_test() == True
except:
pass
def auth(self, gmp):
gmp.authenticate("admin", "admin")
def socket_test(self):
try:
with Gmp(connection=self.connection) as gmp:
self.auth(gmp)
gmp.get_version()
return True
except Exception as err:
return False
当 docker-compose 构建容器时,套接字出现无法连接并返回错误 “无法连接到套接字 /run/gvmd/gvmd.sock。错误为 [Errno 111] 连接被拒绝。”
我检查了脚本容器内套接字的存在和权限以及目录的权限。
docker compose -f ./openvas-docker-compose.yml -p greenbone-community-edition exec script ls -l /run/gvmd/gvmd.sock
srw-rw-rw- 1 1001 1001 0 Jun 21 03:51 /run/gvmd/gvmd.sock
docker compose -f ./openvas-docker-compose.yml -p greenbone-community-edition exec script ls -ld /run/gvmd
drw-rw-rw- 2 1000 1000 4096 Jun 21 03:51 /run/gvmd
我查看了 gvmd 日志,但除了最后一行之外似乎没有任何问题,我不明白。
docker compose -f ./openvas-docker-compose.yml -p greenbone-community-edition exec gvmd cat /var/log/gvm/gvmd.log
md main:MESSAGE:2024-06-21 04h12.07 utc:22: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md main: INFO:2024-06-21 04h12.07 utc:22: Migrating database.
md main: INFO:2024-06-21 04h12.07 utc:22: gvmd: databases are already at the supported version
md main:MESSAGE:2024-06-21 04h12.07 utc:23: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md manage: INFO:2024-06-21 04h12.07 utc:23: Creating user.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.12 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.13 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.100509:6 has changed from 'Report vulnerabilities of inactive Linux Kernel(s) separately' to 'Report vulnerabilities of inactive Linux Kernel(s) separately (only for GOS 21.04 and older)'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.111091:1 has changed from 'Report NVT debug logs' to 'Report VT debug logs'.
md manage:MESSAGE:2024-06-21 04h12.14 utc:23: get_nvt_preference_by_id: name of preference 1.3.6.1.4.1.25623.1.0.12288:16 has changed from 'Mark host as dead if going offline (failed ICMP ping) during scan' to 'Mark host as dead if going offline (failed ICMP ping) during scan (deprecated)'.
md main:MESSAGE:2024-06-21 04h12.14 utc:25: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md manage: INFO:2024-06-21 04h12.14 utc:25: Getting users.
md main:MESSAGE:2024-06-21 04h12.18 utc:28: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
md manage: INFO:2024-06-21 04h12.18 utc:28: Modifying setting.
md main:MESSAGE:2024-06-21 04h12.22 utc:29: Greenbone Vulnerability Manager version 23.6.2 (DB revision 255)
libgvm base:CRITICAL:2024-06-21 04h12.27 utc:30: pidfile_create: failed to open pidfile /run/gvmd/gvmd.pid: Permission denied
我尝试以这种方式配置我的脚本的 Docker。
# Beginning of the Dockerfile ...
RUN mkdir -p /run/gvmd && \
chown -R 1001:1001 /run/gvmd && \
chmod 755 /run/gvmd && \
apt-get update -y && \
apt-get install -y net-tools
# Expose port and set environment variable
EXPOSE 80
ENV PYTHONUNBUFFERED=1
# Start the application
CMD gunicorn "script:create()" -b 0.0.0.0:80
我还多次尝试重新启动 gvmd 容器和我的脚本容器。
当我使用此 docker-compose 配置从主机运行脚本时:
/tmp/run/gvm/gvmd.sock:/run/gvmd/gvmd.sock我尝试在脚本容器上公开端口 9390,但没有任何影响。
我在另一台机器上再次尝试,一切正常。然后我在原来的服务器上重试,又遇到了很多问题。
但这是我找到的解决方案:
docker images | grep greenbone | awk '{print $3}' | xargs docker rmi# Beginning of the Dockerfile ...
RUN groupadd -g 1001 scriptuser && \
useradd -u 1001 -g scriptuser scriptuser
RUN chown -R scriptuser:scriptuser /scriptdir
USER scriptuser
# Expose port and set environment variable
EXPOSE 80
ENV PYTHONUNBUFFERED=1
# Start the application
CMD gunicorn "script:create()" -b 0.0.0.0:80
最后,一切正常。