Locking image versions

amitmoveo · March 6, 2024, 1:38pm

Hello,

Iv’e used the docker-compose and for stability reasons I would like to lock some of the images and update them manually.
I saw that most of the image do not have version tagging. I locked the ones who do have it:

greenbone/notus-scanner:22.6.2
greenbone/gvm-tools:v24.1.0
greenbone/pg-gvm:22.6.5
greenbone/gvmd:23.4
greenbone/gsa:23
greenbone/ospd-openvas:22.6.2

I tried to read a bit about the other images and the only 3 that worry me is

greenbone/report-formats
greenbone/redis-server
greenbone/mqtt-broker

I have a few questions in that topic.
1.Is there a reason that they don’t have version support?
2. It might cause problems locking some of the images? (e,g I have locked notus scanner but not notus data)
3.Im using gmp and gvmd with python to read report results, Do you have any recommendations to ensure stability on report-formats?

Thank you!

rippledj · March 6, 2024, 2:33pm

As far as I understand, locking Docker containers is a security measure to restrict access to them, either to prevent unauthorized users from accessing them or to restrict their usage in certain ways. Furthermore, the Greenbone Docker containers will not update automatically unless you run the pull command to update the containers from the source again. This happens via the docker-compose.yml file.

Therefore, I don’t immediately see how this your goal is achieved by locking the containers. That being said, maybe someone else has more insight, although this may fall out of scope for support from the Greenbone team.

amitmoveo · March 7, 2024, 9:39am

Thank you for the answer, but the goal is not security its stability. Im using python code to retrieve the results from scan and i’m afraid that changes the to any of the dockers will make my code not work

Lukas · March 7, 2024, 10:58am

But then you will end into a incompatible feed version to your scanning engine, so such a setup will always need attention.

amitmoveo · March 7, 2024, 1:38pm

This is why I only want to lock the images that are not responsible for data renewal and engine.
I have a problem with an image like report formats engine changing because it can break my code.

Lukas · March 8, 2024, 10:26am

The key value is the up to date security feed, and when you freeze the engine, the feed is in danger not to be executed.

bricks · March 8, 2024, 11:03am

I think this is a misunderstanding. The report-formats container image includes the report formats. not the engine to generate a report for a scan using a report format. It’s just a data container. The engine itself is provided by gvmd.

See Greenbone Community Containers - Greenbone Community Documentation for more details about the container images.