yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1101222] Re: Detect vncserver_proxyclient_address mis-configuration

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Mon, 30 Mar 2015 12:39:11 -0000
Reply-to: Bug 1101222 <1101222@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Triage indicates the bug is basically fixable with the information
provided in the bug. This is a nice to have enhancement, but not
triaged.

** Changed in: nova
       Status: Triaged => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1101222

Title:
  Detect vncserver_proxyclient_address mis-configuration

Status in OpenStack Compute (Nova):
  Opinion

Bug description:
  Say you have two compute nodes, compute1 and compute 2

  vncserver_proxyclient_address on compute1 is set to the public address
  of compute1 - i.e. the address by which the proxy should connect to
  the VNC server on compute1

  If an admin gets this wrong - e.g. copies nova.conf to compute2 and
  forgets to change the config option - it has pretty disastrous
  security implications. Without any warning or sign that there's a
  problem, users attempting to connect to the VNC console of their VM
  will be sent to the VNC console of some other VM which happens to be
  running on the same port on a different compute node.

  I've seen and debugged this in a real deployment :)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1101222/+subscriptions