Question about redis & openvas

Hi There,

Under gvm-11, I notice my scans yeld a lot of “No redis DB available” errors, while my number of database is set accordingly to the gvmd recommended formula. I tried increasing the database value in redis to various different values (including up to 2048 to see if that would make any difference), but I don’t see any real impact, appart maybe that the scans goes longer.

So I’m wondering about the scan impact this error has. When no redis db is available, does that mean that the current scan results are not saved, and scan kind of bypass the results, or does that mean that it just delay the scan ? Eg; openvas “wait” for a redis db to become available before resuming the scan ?

And also, why increasing the database value significantly doesn’t seem to have any real impact (I still see a lot of those errors whatever value I put in redis.conf)

Thank you

Not sure if you already notice https://github.com/greenbone/openvas/blob/master/doc/redis_data_model.md

You need at least

  • one db for the main data
  • one db for the nvt cache
  • one db for every scan
  • one db for every target host of a scan

So it is 2 + n * m dbs where n is the number of concurrent scans and m the number of hosts per scan.

1 Like

Hi Bricks,

Thanks for your answer.
Yes, I did review the redis data model. Regarding m, is it the total number of IPs per target, or the total number of IPs scanned simultaneously ?

Eg: if I have a /24 target, is m=254 or to 20 (Maximum concurrently scanned hosts set by default) ?

Short answer, it is the number of concurrent scanned hosts of the scan. Long answer these dbs are used to separate the scan results of the hosts. If you have a lot of dead hosts it can be possible that gvmd didn’t request the results yet and a host db is still kept. It is only removed and reused after all results have been requested.

1 Like

Which is typically my case. I’m scanning large networks with a lot of dead hosts. In that situation, would you recommend to stick with the base formula, or to set a much higher redis database value to address the dead hosts as well ?

I couldn’t find any hints of possible impacts in setting up a high database values; such as 4096 for instance for a network of /20. From the doc I understand openvas only waits for redis db to become available, so the only impact is that the scans takes longer. On the other hand, setting a high database value may speedup the scan only if the overhead doesn’t kill redis…

It is always better to set a higher limit like 4096. The openvas scanner will wait for an available db during a running scan but it is very likely that ospd-openvas will reject starting any new scan if no db can be acquired.

2 Likes

OK. So I’ll set a database value to the number of IPs per target plus a 20% margin in case of new scans requests, and see how it goes.

Thanks for your help Bricks.

2 Likes