1077017 – VMware: fix the VNC port allocation

Bug 1077017 - VMware: fix the VNC port allocation

Summary: VMware: fix the VNC port allocation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z4
Target Release:	4.0
Assignee:	Matthew Booth
QA Contact:	Jaroslav Henner
Docs Contact:
URL:
Whiteboard:
Depends On:	1069430
Blocks:	1055536
TreeView+	depends on / blocked

Reported:	2014-03-17 02:57 UTC by Stephen Gordon
Modified:	2022-07-09 06:17 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-nova-2013.2.3-1.el6ost
Doc Type:	Bug Fix
Doc Text:	Cause: The nova VMware driver was assigning VNC ports in a manner which could cause collisions between guests. Effect: There was a small chance that 2 instances could be created with the same VNC port. If both instances ran on the same ESX host, only one of their consoles would be available. However, that console would be presented when requested for both instances. This has security implications. Fix: The nova VMware driver now allocated VNC ports which are unique to a vcenter, eliminating the possibility of collisions. Result: There is no longer a possibility of a user of 1 instance being presented with the console of another.
Clone Of:	1069430
Environment:
Last Closed:	2014-05-29 20:35:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	58994	0	None	None	None	Never
Red Hat Product Errata	RHSA-2014:0578	0	normal	SHIPPED_LIVE	Moderate: openstack-nova security, bug fix, and enhancement update	2014-05-30 00:27:05 UTC

Comment 2 Jaroslav Henner 2014-04-17 14:38:55 UTC

The fix seems to be working, but there still are problems:

If there is some vm, that has the port allocated (in the .vmx), then it seems we are getting ports unique, but if there is something listening on the ports, nova will try to use it:

Bind the port on ESXi
ESXi# for i in $(seq 9100 9105); do nc -d -l "$i" & done

Boot the vm:
ssh root.3.4 '. keystonerc_admin &&  nova boot --image cirros-0.3.1-x86_64-disk.vmdk --flavor m1.small foo

Check the allocations:
~ # grep vnc /vmfs/volumes/datastore1/*/*.vmx
/vmfs/volumes/datastore1/5333299c-bb91-4fd7-b33a-448f401fdad8/5333299c-bb91-4fd7-b33a-448f401fdad8.vmx:RemoteDisplay.vnc.enabled = "true"
/vmfs/volumes/datastore1/5333299c-bb91-4fd7-b33a-448f401fdad8/5333299c-bb91-4fd7-b33a-448f401fdad8.vmx:RemoteDisplay.vnc.port = "9101"
/vmfs/volumes/datastore1/afwe/afwe.vmx:RemoteDisplay.vnc.enabled = "true"
/vmfs/volumes/datastore1/afwe/afwe.vmx:RemoteDisplay.vnc.port = "9100"

Note the afwe is some shutdown machine that I have created there manually. The 5333299c-... is the nova booted VM.

This means:
 * There is danger of collisions with the running daemons -- for example there is:
tcp          127.0.0.1:5988 0.0.0.0:0  LISTEN  34780  newreno sfcb-HTTP-Daemo                                               
 * There is a danger of collisions with clients running on ESXi, that are making connections from random ports.

Also, be examining the patch, it seems like the port range is per vcenter, not per ESXi, this means that we are going to be able to run just a handful of machines, or the collision danger increases.

I suggest to let the vCenter pick the random, available port, not nova, if it is possible. For this reason, I am going to either set this back to ASSIGNED, or clone and VERIFY.

Comment 3 Jaroslav Henner 2014-04-17 14:43:41 UTC

I forgot to say that the VNC was, of course, not working, when nova picked the port which was used by something else. I have not seen any error in the compute log though.

Steve, what do you think we should do? Should I update the BZ 1069430 about that ESXi should be picking the port?

Comment 4 Matthew Booth 2014-04-23 12:01:40 UTC

(In reply to Jaroslav Henner from comment #2)
> The fix seems to be working, but there still are problems:
> 
> If there is some vm, that has the port allocated (in the .vmx), then it
> seems we are getting ports unique, but if there is something listening on
> the ports, nova will try to use it:
> 
> Bind the port on ESXi
> ESXi# for i in $(seq 9100 9105); do nc -d -l "$i" & done
> 
> Boot the vm:
> ssh root.3.4 '. keystonerc_admin &&  nova boot --image
> cirros-0.3.1-x86_64-disk.vmdk --flavor m1.small foo
> 
> Check the allocations:
> ~ # grep vnc /vmfs/volumes/datastore1/*/*.vmx
> /vmfs/volumes/datastore1/5333299c-bb91-4fd7-b33a-448f401fdad8/5333299c-bb91-
> 4fd7-b33a-448f401fdad8.vmx:RemoteDisplay.vnc.enabled = "true"
> /vmfs/volumes/datastore1/5333299c-bb91-4fd7-b33a-448f401fdad8/5333299c-bb91-
> 4fd7-b33a-448f401fdad8.vmx:RemoteDisplay.vnc.port = "9101"
> /vmfs/volumes/datastore1/afwe/afwe.vmx:RemoteDisplay.vnc.enabled = "true"
> /vmfs/volumes/datastore1/afwe/afwe.vmx:RemoteDisplay.vnc.port = "9100"
> 
> Note the afwe is some shutdown machine that I have created there manually.
> The 5333299c-... is the nova booted VM.
> 
> This means:
>  * There is danger of collisions with the running daemons -- for example
> there is:
> tcp          127.0.0.1:5988 0.0.0.0:0  LISTEN  34780  newreno
> sfcb-HTTP-Daemo                                               
>  * There is a danger of collisions with clients running on ESXi, that are
> making connections from random ports.
> 
> Also, be examining the patch, it seems like the port range is per vcenter,
> not per ESXi, this means that we are going to be able to run just a handful
> of machines, or the collision danger increases.
> 
> I suggest to let the vCenter pick the random, available port, not nova, if
> it is possible. For this reason, I am going to either set this back to
> ASSIGNED, or clone and VERIFY.

ESX doesn't support the automatic allocation of VNC port numbers:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1246

Comment 5 Matthew Booth 2014-04-23 13:10:56 UTC

(In reply to Jaroslav Henner from comment #2)
> The fix seems to be working, but there still are problems:
> 
> If there is some vm, that has the port allocated (in the .vmx), then it
> seems we are getting ports unique, but if there is something listening on
> the ports, nova will try to use it:
> 
> Bind the port on ESXi
> ESXi# for i in $(seq 9100 9105); do nc -d -l "$i" & done

I don't think this is worth worrying about, because:

1. Port usage on ESX is down to the administrator
2. There are config variables to define the range that Nova uses
3. The default Nova port range won't conflict with default ESX services

i.e. It will work out of the box, and if the admin wants to do something out of the ordinary they have tunables to enable this.

Comment 6 Jaroslav Henner 2014-04-23 14:44:26 UTC

(In reply to Matthew Booth from comment #5)
> (In reply to Jaroslav Henner from comment #2)
> > The fix seems to be working, but there still are problems:
> > 
> > If there is some vm, that has the port allocated (in the .vmx), then it
> > seems we are getting ports unique, but if there is something listening on
> > the ports, nova will try to use it:
> > 
> > Bind the port on ESXi
> > ESXi# for i in $(seq 9100 9105); do nc -d -l "$i" & done
> 
> I don't think this is worth worrying about, because:
> 
> 1. Port usage on ESX is down to the administrator
> 2. There are config variables to define the range that Nova uses
> 3. The default Nova port range won't conflict with default ESX services

I don't think the point 3) is true because I see those defaults in the nova.conf:

  # Options defined in nova.virt.vmwareapi.driver
  ...

  # VNC starting port (integer value)
  #vnc_port=5900

  # Total number of VNC ports (integer value)
  #vnc_port_total=10000

That means we need ports 5900-15900 for the VMS.

and as I wrote above, I have discovered this on the ESXi. I believe my ESXi is in pretty much default configuration.

> tcp          127.0.0.1:5988 0.0.0.0:0  LISTEN  34780  newreno

and this means that the 88th VM will not hace working VNC.

> 
> i.e. It will work out of the box, and if the admin wants to do something out
> of the ordinary they have tunables to enable this.

Comment 7 Jaroslav Henner 2014-04-23 15:02:45 UTC

Sorry, I have found that VNC is binding zeros while the hostd-worker service is binding 127.0.0.1:5988. That means that 0.0.0.0:5988 is available, checked:

~ # nc -l 0.0.0.0 5988 &
~ # nc -l 0.0.0.0 5988 &
~ # nc: Address already in use
~ # kill-9  %

Comment 8 Bruce Reeler 2014-05-18 01:53:14 UTC

Needinfo: Matthew  Booth
re your comment in the Doc Text field:
"mbooth:
I don't understand what the above text means."

If you look above the Doc Text field in this bug you will see the Doc Type field.
It is a dropdown field where you need to choose the correct item, e.g. is this a bug fix, or an enhancement, or a rebase for bug fix etc. This determines how this bug's Doc Text is treated in the errata.

Depending on the choice you make in the Doc Type field, the prompt text you see in the Doc Text field changes. For example if you choose Bug Fix, then the Doc text field asks you to fill in Cause, Consequence, Fix, Result. If you choose Rebase ..., you also need to fill in what version you rebased to, and so on.

Please choose the correct type in Doc Type, and then fill in the Doc Text accordingly. NOTE: copy your existing text from the Doc Text field first, lest you lose it when you select a different Doc Type.

Hope this makes it clearer.
Thanks

Comment 10 errata-xmlrpc 2014-05-29 20:35:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-0578.html

Note You need to log in before you can comment on or make changes to this bug.