Deploying Scanner in OpenStack

Document created by Pukhraj Singh Employee on Jul 21, 2016Last modified by Qualys Documentation on Jul 31, 2019
Version 24Show Document
  • View in full screen mode

This document describes briefly how to deploy the Qualys Virtual Scanner Appliance on OpenStack. This scanner, once deployed, will function as a Standard Virtual Scanner. Learn more about Qualys Cloud Platform.

 

Deployment Steps

We'll help you with the following steps:

1) Download the tar.gz image.

2) Unzip and extract the tar.gz file.

3) The extracted file format will be in QCOW2 format.

4) Upload the Scanner Image.

5) Launch the Scanner Instance.

6) How do I know my Scanner Instance is ready to use?

7) Troubleshooting

 

 

About Managing Instances

Instance Snapshots/Cloning Not Allowed - Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.

 

Moving/Exporting Instance Not Allowed - Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to OpenStack cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.

 

 

Get Started

Log in to the Qualys Cloud Platform and download the OpenStack Scanner Image. The image will be in the tar.gz format and you'll need to extract the QCOW2 file from it. 

 

Extract QCOW2 from tar.gz

 

Linux

# tar –xvzf qVSA-2.5.xx-x.tar.gz

This will generate a file in QCOW2 format.

 

qVSA-2.5.xx-x.qcow2

Upload this QCOW2 file using dashboard or from the command line.

 

Windows

You can install 7-zip or any other extracting tool on the machine

 

 

The extraction step will generate a tar file.

 

Extract the tar file to generate the QCOW2 file.

 

 

 

Upload the Scanner Image

Scanner images can be loaded using the dashboard or the command line. 

 

Upload the Scanner image using dashboard

Go into Images from Compute and click the Create Image button.


Give a name to the Image, then add the source, it can either be a link or an image file from the localhost. The format should be QCOW2.

Then click Create Image. The Image will be saved, and you’ll see it on Images dashboard.

 

Upload the Scanner image using command line

Run the following command on the Controller Node:

openstack image create < "IMAGE NAME" > --file < IMAGE_DISTRO_FILE > --disk-format < DISK_FORMAT > --container-format bare --public

 

Example:

openstack image create "qVSA-2.5.xx-x" --file qVSA-2.5.xx-x.qcow2 --disk-format qcow2 --public

 

Launch the Scanner Instance

Scanner images can be launched using the dashboard or the command line. 

 

Launch the Scanner Instance using dashboard

Click the Launch Instance button under Instances. Fill out all the required details.

 

Enter a name for your instance.

 

Select the scanner image.

 

Requirements: The scanner instance needs at least 56GB free disk space, 2GB memory and network connectivity to the outside world.

 

The flavor you choose must have this capacity. If you are using the default flavors you can use the medium or large flavor.

 

You can assign an IP either through the Networks section or through the Network Ports option. 

 

If assigning through Network section, select the network from given networks, and proceed to the Security Groups option.

 

Select the network which has connectivity to the outside world.

 

Choose the Security Group.

 

Skip the Key Pair Step - Since you are not allowed to log in to the Scanner Instance, you don't need the key.

 

Next enter the personalization code you obtained from the Qualys Cloud Platform in Customization Script.

 

Optional: You can also provide proxy information. We support both IP and FQDN for the proxy server configuration. 

 

In the Customization Script, add the following information:

PERSCODE = xxxxxxxxxxxxxx

PROXY_URL = username:password@proxyhost:port

 

Formatting:
If you have a domain user, the format is domain\username:password@proxyhost:port
If authentication is not used, the format is proxyhost:port
where proxyhost is the IPv4 address or the FQDN of the proxy server, port is the port the proxy server is running on

 

Examples:

jdoe:abc12345@10.40.1.123:3128
jdoe:abc12345@myproxy.qualys.com:3128
ntlm\jdoe:abc1234@10.40.1.123:3128

 

Notes:

- Proxy information can be provided at the time of Instance creation or after launching the Instance.

- You can enter the personalization code even after launching the instance.

 

Skip the Metadata Step - For launching the Scanner Instance you don't need to provide any type of metadata.

 

After all the information is added, click the Launch Instance button to create the instance. The instance status will be ACTIVE after it is successfully launched. The scanner will start downloading the latest packages and you can view the install progress from the console.

 

After all the packages are downloaded, the GUI will display the message “Welcome to Qualys Virtual Scanner”.

 

It will have the Appliance name and an IP address assigned.

 

 

Launch the Scanner Instance using command line

>> PERSCODE in the form of userdata can also be provided through the command line. In this case you will not be prompted to enter the code on the console.

 

How to provide the PERSCODE through command line

Create a file and add the following line in it:

PERSCODE=xxxxxxxxxxxxxx

PROXY_URL= username:password@proxyhost:port (Optional, see more details above)

 

Then run the following commands to launch an instance:

Obtain your net-id

openstack network list

 

Run the following command to create an instance

openstack server create --flavor < FLAVOR > --image < SCANNER IMAGE > --nic net-id= < NET_ID > --security-group < SECURITY_GROUP > --user-data < FILE > < INSTANCE_NAME >

 

>> If you don't provide PERSCODE in the form of userdata, you will be prompted to enter it on the GUI console.

 

Run the following commands on the Controller Node:

Obtain your net-id

openstack network list

 

Run the following command to create an instance

openstack server create --flavor < FLAVOR > --image < IMAGE_NAME > --nic net-id= < PROVIDER_NET_ID > --security-group < SECURITY_GROUP > < INSTANCE_NAME > 

 

If PERSCODE is not provided in userdata, the following error is returned.

 

Press Enter and type in your personalization code. 

 

The instance status will be ACTIVE, after it is successfully launched. 

 

 

How do I know my scanner is ready to use?

Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list. Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.

 

 

 

Troubleshooting

Scanner appliance not picking up the user - data provided in the customization script.

If you are facing the any issue, you need to check few things.
> Metadata service is configured correctly and it'’ enabled and working fine.
> Your security group rules are configured correctly.
In OpenStack there are two ways, in which an instance can access the metadata over the network.
> Router NameSpace
> DHCP NameSpace
Our appliance supports both the modes.


No valid host was found. There are not enough hosts available.

Scanner appliance instance requires minimum of 56 GB free disk space and 2GB memory.

Choose the correct flavor while launching the instance.

 

Looking for more help?

Check out our Help Center.

Attachments

    Outcomes