How to deploy a remote Greenbone scanner via Docker Compose

wertelyu · October 10, 2025, 12:37pm

Here’s a concise, GitHub-issue-ready version of your ticket:

Title: How to deploy a remote Greenbone scanner via Docker Compose

Hi Greenbone community,

I successfully deployed the Greenbone Community Docker Compose stack — everything works locally (web interface, feeds, redis, PostgreSQL, etc.).

Now I want to deploy a scanner in a separate VPC and connect it to my running Greenbone manager (gvmd).

Original services (unchanged):

vulnerability-tests, notus-data, scap-data, cert-bund-data, dfn-cert-data, gpg-data, redis-server, configure-openvas, openvas, openvasd

My scanner service (ospd-openvas):

ospd-openvas:
  ports:
    - 9390:9390
  command:
    [
      "ospd-openvas",
      "-f",
      "--config", "/etc/gvm/ospd-openvas.conf",
      "--notus-feed-dir", "/var/lib/notus/advisories",
      "-m", "666",
      "--listen-address", "0.0.0.0",
      "--port", "9390"
    ]

I added --listen-address and --port to make it accessible remotely.

Problem:

ospd.errors.OspdError: CA file /var/lib/gvm/CA/cacert.pem not found

Workaround: I added a fix-permissions service to generate certs:

fix-permissions:
  image: registry.community.greenbone.net/community/ospd-openvas:stable
  user: root
  entrypoint: /bin/bash
  command: >
    -c "apt-get update && apt-get install -y openssl && \
        mkdir -p /var/lib/gvm/CA /var/lib/gvm/private/CA && \
        openssl req -x509 -newkey rsa:4096 -nodes \
          -keyout /var/lib/gvm/private/CA/cakey.pem \
          -out /var/lib/gvm/CA/cacert.pem \
          -days 3650 -subj '/CN=Greenbone CA' && \
        openssl req -x509 -newkey rsa:2048 -nodes \
          -keyout /var/lib/gvm/private/CA/serverkey.pem \
          -out /var/lib/gvm/CA/servercert.pem \
          -days 365 -subj '/CN=ospd-openvas' && \
        chown -R ospd-openvas:ospd-openvas /var/lib/gvm && \
        chmod 700 /var/lib/gvm/private && \
        chmod 600 /var/lib/gvm/private/CA/*.pem && \
        chmod 644 /var/lib/gvm/CA/*.pem"
  volumes:
    - gvmd_data_vol:/var/lib/gvm

Questions:

Is generating certs this way correct for a remote scanner?
Is there an official or recommended way to deploy a remote scanner with Docker Compose without modifying the original community stack?
Any references, guides, or examples for connecting a scanner running in a separate VPC to a manager?

Thanks in advance!