Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1416994

Summary: [BUG] nova vnc server listens on all active interfaces due to hardcoded vncserver_listen value
Product: Red Hat OpenStack Reporter: David Hill <dhill>
Component: openstack-puppet-modulesAssignee: Emilien Macchi <emacchi>
Status: CLOSED ERRATA QA Contact: Arik Chernetsky <achernet>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.0 (Mitaka)CC: aschultz, dhill, emacchi, jcoufal, jguiditt, jjoyce, jschluet, mburns, mcornea, owalsh, rhel-osp-director-maint, slinaber, srevivo, tvignaud, tvvcox
Target Milestone: asyncKeywords: FutureFeature, Reopened, Triaged, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-puppet-modules-8.1.13-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1431673 1613451 1613453 (view as bug list) Environment:
Last Closed: 2018-08-07 14:51:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1431673, 1613451, 1613453    

Description David Hill 2017-01-26 23:57:41 UTC 
Description of problem:
tripleo templates have hard-coded vncserver_listen value

this behavior causes vnc to listen on all ports on compute servers, including the routable ip, allowing connections from anybody.  We would like to set this like: vncserver_proxyclient_address to the internapi network

/usr/share/openstack-tripleo-heat-templates/puppet/manifests/overcloud_compute.pp

if str2bool(hiera('nova::use_ipv6', false)) {
  $vncserver_listen = '::0'
} else {
  $vncserver_listen = '0.0.0.0'
}
class { '::nova::compute::libvirt' :
  vncserver_listen => $vncserver_listen,
}

It's not possible to override this value with yaml parameters


Version-Release number of selected component (if applicable):


How reproducible:
Alaways

Steps to Reproduce:
1. Install openstack-tripleo-heat-templates
2. Look at the code
3.

Actual results:
Cannot override

Expected results:
Would like to override

Additional info:
Comment 1 Emilien Macchi 2017-01-27 21:17:53 UTC 
David, this is not a bug but a feature.
If you want Live Migration to work, the vncserver_listen must be 0.0.0.0. Otherwise, your VM console won't be available anymore when you migrate your VM to another compute.

You can find some documentation here that confirms what I just wrote:
http://docs.openstack.org/admin-guide/compute-remote-console-access.html

I'm closing the bug.
Comment 2 David Hill 2017-01-29 17:59:11 UTC 
Emilien,  We've tested this with the customer and manually changing the VNC listening adress to the IP of the compute node does't seem to affect anything.  Are we sure this is not outdated?
Comment 3 Emilien Macchi 2017-01-30 18:44:26 UTC 
Indeed, it's a bug. Apologize.
Comment 4 Jason Guiditta 2017-03-06 13:38:49 UTC 
As there was no puppet-nova for mitaka, moving to opm
Comment 5 Jason Guiditta 2017-03-13 15:04:03 UTC 
Needs puppet-tripleo backport, puppet-nova done
Comment 6 Jason Guiditta 2017-03-13 16:42:59 UTC 
No profiles in puppet-tripleo in < netwon, those changes will be made in the related tht BZ #1431673
Comment 11 errata-xmlrpc 2017-06-19 14:49:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1501
Comment 13 Lon Hohberger 2018-08-07 14:55:17 UTC 
The bug for which this was filed, openstack-puppet-modules-8.1.13-1.el7ost, was shipped.  Please clone it if an additional fix is needed for openstack-tripleo-heat-templates.