Deploying Scanner Using OpenShift CLI

Perform the following steps to set up the Qualys Scanner Appliance in OpenShift using CLI tools.

1. Upload your QVSA extracted QCOW2 image via CLI:

   On a machine or container with OpenShift CLI (i.e. oc) and virtctl installed, upload the extracted QCOW2 Scanner image to the OpenShift server:

   virtctl image-upload dv qvsa-x-x-xx-x-dv  --size=56Gi --storage-class=<storage-class-name> --image-path=<path to extracted qVSA.qcow2 file> --uploadproxy-url=https://<openshift-server-url> --insecure

   Example:

   virtctl image-upload dv qvsa.x86-64-4-1-82-1-golden-dv --size=56Gi --storage-class=scanner-sc --image-path=qVSA.x86_64-4.1.82-1.qcow2 --uploadproxy-url=https://cdi-uploadproxy-openshift-cnv.apps.mycompany.com --insecure

2. Prepare the VM configuration yaml.
   • PERSCODE and optional PROXY_URL can be added to userData section in the YAML.
   • To enable split networking, provide two network interfaces with different network subnets.

   • If 'runStrategy'is set to 'Always', the scanner cannot be shut down from the Scanner Console.
     To shut down the scanner from the Scanner Console, set 'runStrategy' to 'Manual'.
     Configure this parameter according to your environment and operational requirements.

   Sample YAML

   Sample Scanner VM Configuration

   
   apiVersion: kubevirt.io/v1
   kind: VirtualMachine
   metadata:
     name: qualys-scanner
     namespace: scanner-appliance
   spec:
     runStrategy: Manual # Use 'Manual' to initiate VM shutdown from Scanner Console; otherwise, use 'Always' for automation purposes, depending on your needs.
     dataVolumeTemplates:
     - metadata:
         name: qualys-scanner-rootdisk
       spec:
         source:
           pvc:
             name: qvsa.x86-64-4-1-82-1-golden-dv    # clone from your golden image PVC
         storage:
           resources:
             requests:
               storage: 56Gi                # size of the cloned disk
     template:
       spec:
         domain:
           cpu:
             cores: 2
           resources:
             requests:
               memory: 4Gi
           devices:
             disks:
               - name: bootdisk
                 disk:
                   bus: virtio
               - name: cloudinitdisk
                 disk:
                   bus: virtio
             interfaces:            # Add 2 network interfaces to enable split network
               - bridge: {}
                 model: virtio
                 name: eth0
               - bridge: {}
                 model: virtio
                 name: eth1
         networks:                # To enable split network, subnets should be different
           - multus:
               networkName: sub-172-16-0-x
             name: eth0
           - multus:
               networkName: sub-10-15-252-x
             name: eth1
         volumes:
           - name: bootdisk
             dataVolume:
               name: qualys-scanner-rootdisk  # cloned DataVolume
           - name: cloudinitdisk
             cloudInitNoCloud:
               userData: |
                 #cloud-config
                 PERSCODE=70601970395319
                   # Optional proxy configuration; format: proxyuser:password@proxyhost:proxyport
                 #PROXY_URL=user:pass@myproxy:443
                 #Enable_WAN_Interface=True     # Uncomment and set to True if enabling Split Network
   

3. Run the command:

   oc apply -f <path to scanner vm configuration yaml>

   Example:

   oc apply -f sample.yaml

4. When the VM is done provisioning, start the VM.

   The instance status will be ACTIVE after it connects with the Qualys Cloud Platform to complete registration and download the latest software and vulnerability signatures.