Containerized Setup: Communication failure between OSPD-openvas and GVMD

Hi everybody, I am currently struggling setting up the containerized version of openvas as described in https://greenbone.github.io/docs/latest/22.4/container/index.html.

According to the logs (I added a bit more log to the OSPD-openvas container) it seems that there is some issue wrt. the socket communication:

OSPD Logs

    ERROR: (ospd.server) Error sending data to the client. [Errno 32] Broken pipe
    ERROR: (ospd.server) Failure at socket <socket.socket fd=7, family=AddressFamily.AF_UNIX, type=SocketKind.SOCK_STREAM, proto=0, laddr=/run/ospd/ospd-openvas.sock> sending b' properly handle objects in memory.</insight><solution type="VendorFix">The vendor has released updates. Please see the references for more information.</solution><detection qod_type="executable_version">Checks if a vulnerable version is present on the target host.</detection><severities><severity type="cvss_base_v3"><value>CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</value><origin>NVD</origin><date>1570060980</date></severity></severities><custom><filename>2017/gb_ms_kb3203390.nasl</filename><mandatory_keys>MS/SharePoint/Server/Ver</mandatory_keys><required_ports>139, 445</required_ports><dependencies>gb_ms_sharepoint_sever_n_foundation_detect.nasl</dependencies><cvss_base_vector>AV:N/AC:M/Au:N/C:C/I:C/A:C</cvss_base_vector><category>3</category><family>Windows : Microsoft Bulletins</family></custom></vt>'

GVMD Logs
(just printing this over and over)

    md manage:WARNING:2022-11-30 10h20.11 UTC:267: update_scap: No SCAP db present, rebuilding SCAP db from scratch
    md manage:   INFO:2022-11-30 10h20.11 UTC:268: OSP service has different VT status (version 202211291013) from database (version (null), 0 VTs). Starting update ...
    md manage:   INFO:2022-11-30 10h20.11 UTC:267: update_scap: Updating data from feed
    md manage:   INFO:2022-11-30 10h20.11 UTC:267: Updating CPEs
    md manage:WARNING:2022-11-30 10h22.22 UTC:311: update_scap: No SCAP db present, rebuilding SCAP db from scratch
    md manage:   INFO:2022-11-30 10h22.22 UTC:312: OSP service has different VT status (version 202211291013) from database (version (null), 0 VTs). Starting update ...
    md manage:   INFO:2022-11-30 10h22.22 UTC:311: update_scap: Updating data from feed
    md manage:   INFO:2022-11-30 10h22.22 UTC:311: Updating CPEs

while the scap-data dir is “there”:

# docker exec -it gvmd ls /var/lib/gvm/scap-data/
COPYING		     nvdcve-2.0-2003.xml  nvdcve-2.0-2006.xml  nvdcve-2.0-2009.xml  nvdcve-2.0-2012.xml  nvdcve-2.0-2015.xml  nvdcve-2.0-2018.xml  nvdcve-2.0-2021.xml		     oval
feed.xml	     nvdcve-2.0-2004.xml  nvdcve-2.0-2007.xml  nvdcve-2.0-2010.xml  nvdcve-2.0-2013.xml  nvdcve-2.0-2016.xml  nvdcve-2.0-2019.xml  nvdcve-2.0-2022.xml		     timestamp
nvdcve-2.0-2002.xml  nvdcve-2.0-2005.xml  nvdcve-2.0-2008.xml  nvdcve-2.0-2011.xml  nvdcve-2.0-2014.xml  nvdcve-2.0-2017.xml  nvdcve-2.0-2020.xml  official-cpe-dictionary_v2.2.xml

Database meta (SELECT * FROM public.meta)

     id |       name        |   value    
    ----+-------------------+------------
     10 | cert_check_time   | 1669739690
     25 | database_version  | 250
      2 | update_nvti_cache | 0
     26 | max_hosts         | 4095

The socket is - as described in the docs - in a docker volume that is mounted into both containers:

Host:

    #  docker volume inspect ospd-openvas-socket
    ls -lhrta <MOUNTPOINT>
    -rw-rw----. 1 1001 1001  0 Nov 30 10:55 feed-update.lock
    -rw-r--r--. 1 1001 1001  1 Nov 30 11:08 ospd-openvas.pid
    srw-rw-rw-. 1 1001 1001  0 Nov 30 11:08 ospd-openvas.sock

GVMD Container:

    # docker exec -it gvmd gosu gvmd ls -lhrta /run/ospd
    -rw-rw----. 1 gvmd gvmd  0 Nov 30 09:55 feed-update.lock
    -rw-r--r--. 1 gvmd gvmd  1 Nov 30 10:08 ospd-openvas.pid
    srw-rw-rw-. 1 gvmd gvmd  0 Nov 30 10:08 ospd-openvas.sock

OSPD Container

    # docker exec -it  ospd ls -lhrta /run/ospd
    -rw-rw----. 1 ospd-openvas ospd-openvas  0 Nov 30 09:55 feed-update.lock
    -rw-r--r--. 1 ospd-openvas ospd-openvas  1 Nov 30 10:08 ospd-openvas.pid
    srw-rw-rw-. 1 ospd-openvas ospd-openvas  0 Nov 30 10:08 ospd-openvas.sock

I did some “manual” communication on the socket with netcat which worked fine for both directions.

After giving up on this, i tried switching to binding on host/port with TLS which seemed to be working for the scanners but not for SCAP still:

run “ospd-openvas” with arguments

    "--bind-address" "0.0.0.0 --port 2223 --cert-file /certs/server.crt --key-file /certs/server.key --ca-file /certs/intermediate.chain.pem"

rather than with "-m 666" and

adjust the scanner in gvmd with

    "gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=172.1.2.3 --scanner-port=2223 --scanner-ca-pub /certs/intermediate.chain.pem --scanner-key-priv=/certs/server.key --scanner-key-pub=/certs/server.crt"

Doing a

    "gvmd --verify-scanner=08b69003-5fc2-4037-a479-93b440211c73"

succeeds

    Scanner version: OpenVAS 22.4.1~dev1.

Yet with this approach the gvmd container is apparently unable to do “osp_scanner_feed_update” as it is still trying to connect to the socket somehow (which does not exist, cf. https://github.com/greenbone/ospd-openvas/issues/174 )

md manage:WARNING:2022-11-30 10h43.36 UTC:48: osp_scanner_feed_version: failed to connect to 172.1.2.3

-> trying to connect on the socket still?!

Any help would be greatly appreciated!