Skip to content

Docker Installation

The Docker installation is the method to choose if you want to quickly deploy OpenCVE without managing the dependencies (like PostgreSQL, Redis or Celery).

Please keep in mind that project is designed to be installed with our fork of opencve-docker.

Requirements

The current documentation has been tested on Debian 10 and Ubuntu LTS 20.04 with the following requirements :

  • Docker-compose 1.21.0+
  • Docker 20.10.1+
  • 8 GB RAM

If you want to know more about docker, you can read here.

Clone the app and docker environnement

Get the OpenCVE docker repository:

$ git clone https://github.com/Gael-Lejeune/opencve-docker
Then move into the directory (using the mv command) and run the following command to copy our fork of opencve: 
$ git clone https://github.com/Gael-Lejeune/opencve opencve

Info

If you want to use the cpe branch of the fork, you can run the following command instead: 

$ git clone https://github.com/Gael-Lejeune/opencve --branch cpe-version opencve
Learn more about this branch here

Installation steps

Configuration

Create a copy of the opencve.cfg.example file which is in the conf folder

cp ./conf/opencve.cfg.example ./conf/opencve.cfg

Edit the opencve.cfg file (remove the <> when you replace)

server_name = <your_listening_ip>:8000
secret_key = "<your_secret_key>"
Listening_ip can be setup to 127.0.0.1
Secret_key should be between quotes and be a randomly generated key containing at least 32 characters (see flask recommandations).

Update the SMTP Configuration

For the moment, the outlook smtp server is unused, please keep in mind that the email functions are not working for the moment, you are not forced to configure it. 

[mail]
; Choices are 'smtp' or 'sendmail'
email_adapter = smtp
; The 'From' field of the sent emails
email_from = examplemail@outlook.com
; Configuration to set up SMTP mails.
smtp_server = smtp.office365.com
smtp_port = 587
smtp_use_tls = True
smtp_username = examplemail@outlook.com
smtp_password = examplepassword
Note that the email_from and smtp_username should be the same.


Check files & Line endings

Make sure that ./conf/opencve.cfg and ./run.sh are LF line terminated (and not CRLF, it could cause errors while building or running the container) If you want to learn more about LF and CRLF you can click here. If you want to know how to change this using Visual Studio Code, or Notepad++.

Tip

If you want to change the default postgresql password (strongly advised), you can add it in the .env file before the docker-compose build:

POSTGRES_PASSWORD=MyStrongPassword42

Then don't forget to change it in the opencve.cfg file.

Info

You will need a SMTP server to send the notification emails. Its configuration is out of scope of this procedure.

Initialize the stack

All the following commands need to be used in a terminal, in the root folder of the project (you should be able to see files like "Dockerfile")

You can now build the OpenCVE image. 

$ docker-compose build

Then start everything except the beat:

$ docker-compose up -d postgres redis webserver celery_worker

Initialize the database

The database can be initialized with the following command:

$ docker exec -it webserver opencve upgrade-db

Import the data

The tables are created, you can now populate them using the import-data command :

$ docker exec -it webserver opencve import-data

This command download the list of CPE, the list of CWE and each CVE's year (from 2002 until now), so it can take several minutes. Don't worry you will only do it once.

Note

Alternatively, you can use the following command to import less CVEs, making it a bit faster and more suitable for testing.

docker exec -it webserver opencve import-data-light

Warning

The NVD data are downloaded, extracted and then parsed in-memory before being inserted in the database. For that the import-data command needs 5GB at least to correctly do its job. Afterwards, the worker use very small memory as only the diff is used with the NVD.

If you launch opencve import-data without this memory space the command will be killed (OOM) by your operating system and your data will be incompletes.

We wrote a documentation to handle this problem using a SWAP file.

Create an admin

You can now create the admin :

$ docker exec -it webserver opencve create-user john john.doe@example.com --admin
Password:
Repeat for confirmation:
[*] User john created.

Tip

This command is required for the first admin, then you will be able to manage the users with the admin pages.

Start the beat

The last step is to start the scheduler :

$ docker-compose up -d postgres redis webserver celery_worker celery_beat

Check that everything is working fine

You can execute 

docker ps
>> CONTAINER ID   IMAGE           COMMAND                  CREATED          STATUS          PORTS                      NAMES
>> 97e3ef4af44f   opencve:1.2.3   "./run.sh celery-beat"   20 seconds ago   Up 58 minutes                              celery_beat
>> faf7f59fff38   opencve:1.2.3   "./run.sh celery-wor…"   16 hours ago     Up 58 minutes                              celery_worker
>> df0faac8526d   opencve:1.2.3   "./run.sh webserver …"   16 hours ago     Up 58 minutes   0.0.0.0:8000->8000/tcp     webserver
>> 63b7e90d2cd7   redis:buster    "docker-entrypoint.s…"   46 hours ago     Up 58 minutes   127.0.0.1:6379->6379/tcp   redis
>> 38af0f416957   postgres:11     "docker-entrypoint.s…"   46 hours ago     Up 58 minutes   127.0.0.1:5432->5432/tcp   postgres
If status is up everywhere, everything is working fine. You should now be able to reach the app on <your_listening_ip:your_port> on your favorite web browser.

You can now use OpenCVE with your own dockerized instance of it.