openstack team mailing list archive

[Sam Stoelinga <sammiestoel@xxxxxxxxx>]

Hi,

We are using folsom with nova-networking multi_host=True, which means that
every host has direct access to the internet. In our environment that also
meant that every host had it's own public ip(office ip).

We set it to 0.0.0.0 because we needed to support live-migration and
changed to multi_host later so the config was still there.

Related documentation:
http://docs.openstack.org/trunk/openstack-compute/admin/content/important-nova-compute-options.html

But this is a big security problem, because it will make the instances
accessible to everybody who can reach an compute node.

We solved it by running nova-novncproxy on every compute node and setting
the vncserver_listen to 127.0.0.1. How did other people solve this problem?
Is this ok? Didn't see any documentation about this.

I think this problem is an obvious problem that people should notice
themself, but we were just switching to multi_host mode so overlooked this
small configuration.

To prevent this happening to somebody else we could do the following:
1. In the documentation explicitly tell the user that when you enable
multi_host that you can't use vncserver_listen=0.0.0.0
2. Do some sanity checks on nova.conf options, if we notice that
vncserver_listen: 0.0.0.0 and multi_host true, we don't allow starting the
nova-compute service and give a clear error message saying that it's stupid
to do something like that and what the user should do instead.

Regards,
Sam Stoelinga