openstack team mailing list archive

Thread
Date

Re: Security concern with vncserver_listen 0.0.0.0 and multi_host

To: Sam Stoelinga <sammiestoel@xxxxxxxxx>
From: "Mac Innes, Kiall" <kiall@xxxxxx>
Date: Wed, 3 Apr 2013 10:11:29 +0000
Accept-language: en-IE, en-US
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
Thread-index: AQHOMFJ6wZzCEgJ8E0eVZWwfOYTRhg==
Thread-topic: [Openstack] Security concern with vncserver_listen 0.0.0.0 and multi_host

On 03/04/13 11:03, Sam Stoelinga wrote:
> To prevent this happening to somebody else we could do the following:
> 1. In the documentation explicitly tell the user that when you enable
> multi_host that you can't use vncserver_listen=0.0.0.0
> 2. Do some sanity checks on nova.conf options, if we notice that
> vncserver_listen: 0.0.0.0 and multi_host true, we don't allow starting
> the nova-compute service and give a clear error message saying that it's
> stupid to do something like that and what the user should do instead.

I'm probably missing something here, but would a simple firewall not work?

#2 seems drastic to me, and #1 could be amended to mention the need for 
a firewall instead..

Kiall Mac Innes
HP Cloud Services - DNSaaS

Mobile:   +353 86 345 9333
Landline: +353 1 524 2177
GPG:      E9498407

Follow ups

Re: Security concern with vncserver_listen 0.0.0.0 and multi_host
From: Sam Stoelinga, 2013-04-03

References

Security concern with vncserver_listen 0.0.0.0 and multi_host
From: Sam Stoelinga, 2013-04-03