openstack team mailing list archive

[Sam Stoelinga <sammiestoel@xxxxxxxxx>]

No you aren't missing something, a firewall would be probably be enough if
we didn't change nova :P I also feel that #2 is too drastic now, but #1
should be done I guess.

I didn't mention something before about why we can't use a firewall for
this: We did some dirty changes to enable spice and disabled auto_port for
both vnc and spice, so people can access their virtual machines using spice
with a password on a specific port. The company I work for was already
using this since the E version and in our next version we will start to use
the official spice implementation of openstack. Our current version has
possible bugs also.

Disabling all ports isn't an option in our current state because we still
want to enable spice. We currently have a prefixed range of ports reserved
for spice 30000 to 40000 that should be accessible from the outside. Those
parts may be used by VNC and/or spice currently (We have disabled autoport
of vnc and spice and let them use the prefixed range).




On Wed, Apr 3, 2013 at 6:11 PM, Mac Innes, Kiall <kiall@xxxxxx> wrote:

> On 03/04/13 11:03, Sam Stoelinga wrote:
> > To prevent this happening to somebody else we could do the following:
> > 1. In the documentation explicitly tell the user that when you enable
> > multi_host that you can't use vncserver_listen=0.0.0.0
> > 2. Do some sanity checks on nova.conf options, if we notice that
> > vncserver_listen: 0.0.0.0 and multi_host true, we don't allow starting
> > the nova-compute service and give a clear error message saying that it's
> > stupid to do something like that and what the user should do instead.
>
> I'm probably missing something here, but would a simple firewall not work?
>
> #2 seems drastic to me, and #1 could be amended to mention the need for
> a firewall instead..
>
> Kiall Mac Innes
> HP Cloud Services - DNSaaS
>
> Mobile:   +353 86 345 9333
> Landline: +353 1 524 2177
> GPG:      E9498407
>