Create Containerized Scanner
The following command can be used as a 'root' user for the Containerized Scanner Creation (CSC).
Sample
PERSONALIZATION_CODE=<Personalization code generated from Qualys Subscription>; NAME=<Containerized Scanner Name>; \
mkdir -p <Path to Private Space>/$PERSONALIZATION_CODE; \
docker run -d -v <Path to Shared Space>:/usr/local/qualys:z -v <Path to Private Space>/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z \
-e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://<first endpoint mentioned in Security Operations Center (SOC)> <qCSS IMAGE ID>
- Directory paths /usr/qualys/common and /usr/qualys/private are arbitrary; users can define other directory paths of choice.
- Look up the QUALYS_URL required to execute the command, and see Prerequisites for Creating Containerized Scanner for detailed steps. Contact your Qualys Technical Account Manager (TAM) if you need help verifying the POD URL.
- Refer to QCSA Image Configuration in Docker Host to retrieve the QCSA IMAGE ID.
The scanning capacity of a containerized scanner depends on the memory, swap and CPUs assigned to it. Based on the resource assignment, a containerized scanner can be categorized as unlimited or limited.
Unlimited Containerized Scanner
If resource preferences such as memory, swap, and CPUs are not provided, the Containerized Scanner can use all available resources on the docker host. Such a Scanner is termed an Unlimited Containerized Scanner.
Limited Containerized Scanner
The user can allocate preferred resources to the Containerized Scanner, called a Limited Containerized Scanner.
Unlimited Containerized Scanner
When memory, swap and CPU preferences are not provided, Containerized Scanner uses all the resources available on the docker host.
It is recommended that you use only one Unlimited Containerized Scanner per Docker host, as it consumes all the memory, swap and CPUs available on the Docker host.
Use the following example of a command to create an Unlimited Containerized Scanner. After execution of the command, the container ID is printed, and the containerized scanner is launched in detached mode.
Sample
[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412
babd3b78c598417dfc07a701dbd20d318afc82af524a41e67b3af5932f41c1be
[root@localhost ~]#
Limited Scanner
You can provide resource preferences for the Containerized Scanner, including memory, swap, and the number of CPUs. The user can divide the Docker host's resources and create multiple Containerized Scanners.
Assign the resources to the Containerized Scanners, accumulating the total assigned resources within the Docker host's resource limits.
The following parameters can be used to provide preferred resources:
| Parameter | Description |
|---|---|
| --memory | Memory (RAM) is to be allocated to the containerized scanner. |
| --memory-swap | The total value of the memory + swap is to be allocated to the containerized scanner. If memory is provided with 1024M and memory-swap is supplied with 2048M, then Containerized Scanner gets 1024M of Swap. |
| --cpus | The total number of CPUs is to be allocated to the containerized scanner. |
Use the following sample command to create a Limited Containerized Scanner. After executing the command, a Container ID is printed, and the containerized scanner is launched in detached mode.
Sample
[root@localhost ~]# PERSONALIZATION_CODE=xxx5xxx1xxx0xx; NAME=Qualys_Container; mkdir -p /usr/qualys/private/$PERSONALIZATION_CODE; docker run -d -v /usr/qualys/common:/usr/local/qualys:z -v /usr/qualys/private/$PERSONALIZATION_CODE:/usr/local/qualys/admin/etc:z -e PERSONALIZATION_CODE=$PERSONALIZATION_CODE --name "$NAME" --memory 1024M --memory-swap 2048M --cpus 1 -e QUALYS_URL=https://qualysxxx.xxx.xxx.xxx.qualys.com 6715167e4412 2e6a4c0c0479e9bab8232c71f4be21aedcbcb025809125b80788d500d304031e [root@localhost ~]#
Containerized Scanner Scanning Capacity is calculated based on the total memory, swap and CPUs allocated to Containerized Scanner.
Do not overcommit the resources. It may lead to the Container itself or the host malfunctioning. For example, in the case of overcommitting swap, a lack of sufficient swap on the host could lead to guest user operating systems being forcibly shut down, leaving the guests inoperable.