OpenVAS Change Request #50: Automatic restart of openvas-scanner after plugin updates
Status: In discussion.
Automatic restart of openvas-scanner after plugin updates and/or retrieving new plugins.
If openvas-nvt-sync is run as a cron job, updates to current plugins or new plugins added to the feed will not be reflected and known by openvas-scanner. Thus, scans will not benefit from these new plugins. In order to achieve this, openvas-scanner should be restarted manually. It would be useful, convenient and interesting if openvas-nvt-sync could notify openvas-scanner that there are new plugins, triggering the scheduling of a restart of the openvas-scanner daemon.
As explained below, the scheduled restart should only take place when all current scans have finished and probably it would be a good idea to also wait until no clients are connected. However, during the restart time, in which the new plugins are processed, users would not be able to connect with the openvas-scanner.
Design and Implementation
After running openvas-nvt-sync, if there new plugins have been downloaded (if using rsync, this can be known, with other methods maybe this will trigger always), the script could notify openvas-scanner using a signal (SIGUSR1, SIGUSR2, SIGHUP...). The openvas-scanner daemon would received this signal and set an internal flag indicating that a daemon restart should be performed when possible.
When all current running scans have finished, this restart could be performed. To minimize the impact on user experience, it would probably be a good idea to also wait until all currently-connected clients disconnect from the server (though if some users leave their clients connected permanently, this could prevent the daemon from restarting). If there are scheduled scans they could also be taken into account, and only allow the restart to be done when the next scheduled-scan is at least several minutes further in time (maybe the amount of minutes could be estimated depending on the number of new plugins)
To minimize impact on user-experience, maybe a small dummy service could be started before processing the plugins, listening on the usual openvas-scanner port, whose role is just to inform incoming client connections that the scanner is restarting and processing new plugins, and ask to wait or retry later.
- 2010-08-23 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>:
Created CR file from the proposal submitted by Jonas Andradas to openvas-devel.