Bug 861053
Summary: | virt-manager can't connect to VNC console if VNC port is blocked by firewall and SSH is used for main libvirtd connection | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Vladislav Bogdanov <bubble> |
Component: | virt-manager | Assignee: | Cole Robinson <crobinso> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | berrange, crobinso, hbrock, jforbes, virt-maint |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-24 19:05:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vladislav Bogdanov
2012-09-27 12:21:47 UTC
This behavior is intentional. It's assumed that if listen=0.0.0.0 then VNC is externally accessible, otherwise why is it configured like that? The libvirt default is 127.0.0.1, so unless there's a libvirt bug here, listen=0.0.0.0 needs to be explicitly enabled. And if the user requests that then we should honor it, and it's up to them to configure things correctly. I hope that's a sufficient description. Closing as NOTABUG, Vladislav please reopen if you think I've missed something. (In reply to comment #1) > This behavior is intentional. It's assumed that if listen=0.0.0.0 then VNC > is externally accessible, otherwise why is it configured like that? Having daemon listening on address does not generally mean that it is accessible directly from everywhere. And, if user (having configured listen=0.0.0.0) connects via ssh tunnel to libvirtd itselt, there is very strong probability that neither libvirtd nor VNC ports are accessible directly from that user's location. So, fact that connection is tunnelled should have priority over fact that daemon is listening on some non-loopback addresses. In my case I need limited connectivity, several cluster nodes should have direct access to each other's ports, while the rest of network should use ssh tunnels for that. I do not see how to configure that with libvirt-only configuration. Even if there is way to do that, I would prefer to have firewall in the middle to prevent exploitation of yet-unknown bugs. > > The libvirt default is 127.0.0.1, so unless there's a libvirt bug here, > listen=0.0.0.0 needs to be explicitly enabled. And if the user requests that > then we should honor it, and it's up to them to configure things correctly. > > I hope that's a sufficient description. Closing as NOTABUG, Vladislav please > reopen if you think I've missed something. Intention you talk about leads to limitation for some use-cases. libvirtd itself is only the small building block, and solely its configuration cannot guarantee that everything is clean on the way to reach it. I get what you're saying. But virt-manager really tries to be a dumb tool. In this case we are reacting to how your VM is configured, which is listening on 0.0.0.0. If we default to using SSH always, other people will complain (I guarantee). If we add some fallback logic to use SSH if the VNC connection fails, it's more maintenance burden for us, for behavior that not all users will even want. As a user you have several options: - If one of the nodes that can access the libvirt host has SSH access, tunnel through that to connect libvirt host. - ssh -X to the libvirt host and run virt-manager from there - Configure your graphics devices to use 127.0.0.1 and use ssh tunnelling on all hosts that will access the machine. But I don't think we should add code to virt-manager to support a narrow use case where we are basically guessing at the admin's intention. Nor do I think it's worth adding explicit UI to handle this scenario. One way this could work, and I'd support in virt-manager, would be if qemu allowed specifying 2 graphics devices. You could have one VNC connection listen on 0.0.0.0 and the other listen on 127.0.0.1, then virt-manager would have a way to choose the graphical device. I'd support that, but I don't know if qemu will ever provide that ability. Maybe virt-viewer would take a patch to allow forcing a connection method via a command line switch, then you could connect as a one off like 'virt-viewer --connect <libvirturi> <domainname> --force-ssh' Closing as WONTFIX. |