Docker-compose: set GSA listen address and GVM admin password

Community Containers
1

How would I set the listen address (e.g. 0.0.0.0) in the docker-compose.yml file before the container is built? I assume this would be in the gsa block but I’m unclear about the key/value pair. This would have the same result as setting the value manually in greenbone-security-assistant.service after the container is running.

In the same vein, how would I set the admin password in the docker-compose.yml file? Here I assume that it would be set under the gvmd block. This would have the same result as setting the value manually using the following command:

docker-compose -f docker-compose.yml -p greenbone-community-edition exec -u gvmd gvmd gvmd --user=admin --new-password=xxxxx

Thanks for the help.

2

This may not be the only method or the best method, but, to modify the greenbone-security-assistant.service file within the container, you would need to create a custom Docker image that includes the modified file and then use that image in your docker-compose.yml file.

mkdir custom-gsa
cd custom-image

Create a new file called greenbone-security-assistant.service in the custom-gsa directory and add your modifications to it. Change 127.0.0.1 to 0.0.0.0 in the file. Save the changes.

Create a new file called Dockerfile in the custom-image directory with the following content:

FROM greenbone/gsa:stable
COPY greenbone-security-assistant.service /etc/systemd/system/greenbone-security-assistant.service

This Dockerfile will start from the base greenbone/gsa:stable image and copy your modified greenbone-security-assistant.service file to the container. Then you need to build the container from within the directory using the Dockerfile and tags it as something like my-custom-gsa .

docker build -t my-custom-gsa .

Finally, update the docker-compose.yml file to use the custom image. Replace the greenbone/gsa:stable image with my-custom-gsa . The modified section should look like this:

gsa:
  image: my-custom-gsa
  restart: on-failure
  ports:
    - 9392:80
  volumes:
    - gvmd_socket_vol:/run/gvmd
  depends_on:
    - gvmd

Start the containers using the modified docker-compose.yml file:

docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition up -d

I have not tested this method, but I guess it is the correct way to override a container image.

You could otherwise set an environment variable but I believe there is currently no commands in the GSA container that would pick up the environment variable and move it into the service file. Such as this:

gsa:
  image: my-custom-gsa
  restart: on-failure
  ports:
    - 9392:80
  volumes:
    - gvmd_socket_vol:/run/gvmd
  depends_on:
    - gvmd
  environment:
   - LISTEN_IP=0.0.0.0

If the container could pick that up and execute something like:

sed -e "s/127.0.0.1/$LISTEN_IP/g" greenbone-security-assistant.
3

Thank you for the thorough explanation. Overriding the container image with the custom image referencing a systemd service file worked perfectly.

I searched for similar approaches to set the admin password before the gvmd image build but was unsuccessful. I may just rely on the official documentation to change the password after the container is running:

docker-compose -f docker-compose.yml -p greenbone-community-edition exec -u gvmd gvmd gvmd --user=admin --new-password=xxxxx
4

Just a short note the containers don’t use (systemd) service files. The services are started via dockerfile cmd for example gsad/.docker/prod.Dockerfile at main · greenbone/gsad · GitHub

1 Like
5

That edification helped me track down where the gvmd admin password is set:

The the .docker directory referenced in your comment had file start-gsad.sh and I figured there would be a corresponding file in the gvmd repo. Knowing where the admin password is set will help me build a custom image with a different default. Many thanks!

6

OK, thanks for that info!