Scanning in OpenStack

Document created by Pukhraj Singh Employee on Jul 21, 2016Last modified by Qualys Documentation on Jan 29, 2019
Version 23Show Document
  • View in full screen mode

This document describes briefly how to deploy the Qualys Virtual Scanner Appliance on OpenStack. This scanner, once deployed, will function as a Standard Virtual Scanner. Learn more about Qualys Cloud Platform.


Deployment Steps

We'll help you with the following steps:

  1. Extract VHD from VHD.GZ file.
  2. Upload the Scanner Image
  3. Launch the Scanner Instance
  4. How do I know my scanner is ready to use?
  5. Troubleshooting


About Managing Instances

Instance Snapshots/Cloning Not Allowed - Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.


Moving/Exporting Instance Not Allowed - Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to OpenStack cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.


Get Started

The following deployment is performed on the OpenStack Newton release.


Login into the Qualys Cloud Platform and download the OpenStack Scanner Image. The image will be in the VHD.GZ format and you'll need to extract the VHD file from it.


Extract VHD from VHD.GZ


# gunzip qVSA.i386.-2.4.19-1.vhd.gz

This will generate a file in the vhd file.


Upload this vhd file using dashboard or from the command line.



You can install 7-zip or any other extracting tool on the machine.



Using the tool, extract all the files from the VHD.GZ file.


Upload this vhd file using dashboard or from the command line.


Upload the Scanner Image

Scanner images can be loaded using the dashboard or the command line.


Upload the Scanner image using dashboard

Go to Images and click the Create Image button.


Give a name to the image, then add the source, it can either be a link or an image file from the localhost. The format should be VHD.

Then click Create Image. The image will be saved and you'll see it on the dashboard.



Upload the Scanner image using command line

Run the following command on the Controller Node:

openstack image create < "IMAGE NAME" > --file < IMAGE_DISTRO_FILE > --disk-format < DISK_FORMAT > --container-format bare --public


Launch the Scanner Instance

Scanner images can be launched using the dashboard or the command line.


Launch the Scanner Instance using dashboard

Click the Launch Instance button under Instances. Fill out all the required details.


Enter a name for your instance:
















Select the scanner image:


Requirements: The scanner instance needs at least 60GB free disk space, 4GB memory and network connectivity to the outside world.


The flavor you choose must have this much capacity. If you are using the default flavors you can use the medium or large flavor.



You can assign an IP either through the Networks section or through the Network Ports section.

In case of Networks section, select the network from the given networks, and proceed further to the Security group option.


Select the network which has connectivity to the outside world.



On the hand If you are assigning the Network through the Network Ports section, you need to select one of the

ports from the given list of the ports you have created.


Select one of the network ports, through which the appliance can connect the outside world.



Choose the Security group:



Skip the Key Pair Step - ( Since you are not allowed to login into the Scanner Instance, you don't need the key )


Next enter the personalization code you obtained from the Qualys Cloud Platform in Customization Script.


Optional: You can also provide proxy information. We support both IP and FQDN for the proxy server configuration.



In the Customization Script, add the following information:

PERSCODE = xxxxxxxxxxxxxx

PROXY_URL = username:password@proxyhost:port


If you have a domain user, the format is domain\username:password@proxyhost:port
If authentication is not used, the format is proxyhost:port
where proxyhost is the IPv4 address or the FQDN of the proxy server, port is the port the proxy server is running on






- You must provide Proxy information at the time the instance is launched - it can't be provided after launching the instance.

- However, you can enter the personalization code even after launching the instance.

- Currently we don't support injecting of user - data, through the configuration drive.


Skip the Metadata Step - ( For launching the Scanner Instance you don't need to provide any type of metadata )


After all the information is added, click the Launch Instance button to create the instance. The instance status will be ACTIVE after it is successfully launched. The scanner will start downloading the latest packages and you can view the install progress from the console.



After all the packages are downloaded, the GUI will display the message Welcome to Qualys Virtual Scanner.


It will have the Appliance name and an IP address assigned.




Launch the Scanner Instance using command line

>> PERSCODE in the form of userdata can also be provided through the command line. In this case you will not be prompted to enter the code on the console.

How to provide the PERSCODE through command line

Create a file and add the following line in it:


PROXY_URL= username:password@proxyhost:port (Optional, see more details above)


Then run the following commands to launch an instance:
Obtain your net-id

openstack network list

Run the following command to create an instance

openstack server create --flavor < FLAVOR > --image < SCANNER IMAGE > --nic net-id= < NET_ID > --security-group < SECURITY_GROUP > --user-data < FILE > < INSTANCE_NAME >


>> On the other hand if you don't provide PERSCODE in the form of userdata, you will be prompted to enter it on the GUI console.

Run the following commands on the Controller Node:

Obtain your net-id

openstack network list

To create an Instance

openstack server create --flavor < FLAVOR > --image < IMAGE_NAME > --nic net-id= < PROVIDER_NET_ID > --security-group < SECURITY_GROUP > < INSTANCE_NAME >


The instance status will be ACTIVE, after it is successfully launched.



Press enter and type the personalization code.




How do I know my scanner is ready to use?

Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list.

Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.




Scanner appliance not picking up the user - data provided in the customization script.

If you are facing the above issue, you need to make check few things.
> Metadata service is configured correctly, and is enabled and working fine.
> Your security group rules are configured correctly.
In OpenStack there are two ways, in which an instance can access the metadata over the network.
> Router NameSpace
> DHCP NameSpace
Our appliance supports both the modes.

No valid host was found. There are not enough hosts available.

Scanner appliance instance requires minimum of 60 GB free disk space and 4GB memory.

Choose the correct flavor while launching the instance.


Looking for more help?

Check out our Help Center.