Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1416994 - [BUG] nova vnc server listens on all active interfaces due to hardcoded vncserver_listen value
Summary: [BUG] nova vnc server listens on all active interfaces due to hardcoded vncse...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
Target Milestone: async
: 9.0 (Mitaka)
Assignee: Emilien Macchi
QA Contact: Arik Chernetsky
Depends On:
Blocks: 1431673 1613451 1613453
TreeView+ depends on / blocked
Reported: 2017-01-26 23:57 UTC by David Hill
Modified: 2021-03-11 14:57 UTC (History)
15 users (show)

Fixed In Version: openstack-puppet-modules-8.1.13-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1431673 1613451 1613453 (view as bug list)
Last Closed: 2018-08-07 14:51:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Gerrithub.io 351597 0 None None None 2017-03-13 16:42:59 UTC
Launchpad 1660099 0 None None None 2017-01-30 18:44:51 UTC
OpenStack gerrit 426899 0 None MERGED libvirt: allow any binding for vncserver_listen 2020-06-29 19:10:55 UTC
Red Hat Product Errata RHBA-2017:1501 0 normal SHIPPED_LIVE openstack-packstack and openstack-puppet-modules bug fix advisory 2017-06-19 18:46:27 UTC

Description David Hill 2017-01-26 23:57:41 UTC
Description of problem:
tripleo templates have hard-coded vncserver_listen value

this behavior causes vnc to listen on all ports on compute servers, including the routable ip, allowing connections from anybody.  We would like to set this like: vncserver_proxyclient_address to the internapi network


if str2bool(hiera('nova::use_ipv6', false)) {
  $vncserver_listen = '::0'
} else {
  $vncserver_listen = ''
class { '::nova::compute::libvirt' :
  vncserver_listen => $vncserver_listen,

It's not possible to override this value with yaml parameters

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install openstack-tripleo-heat-templates
2. Look at the code

Actual results:
Cannot override

Expected results:
Would like to override

Additional info:

Comment 1 Emilien Macchi 2017-01-27 21:17:53 UTC
David, this is not a bug but a feature.
If you want Live Migration to work, the vncserver_listen must be Otherwise, your VM console won't be available anymore when you migrate your VM to another compute.

You can find some documentation here that confirms what I just wrote:

I'm closing the bug.

Comment 2 David Hill 2017-01-29 17:59:11 UTC
Emilien,  We've tested this with the customer and manually changing the VNC listening adress to the IP of the compute node does't seem to affect anything.  Are we sure this is not outdated?

Comment 3 Emilien Macchi 2017-01-30 18:44:26 UTC
Indeed, it's a bug. Apologize.

Comment 4 Jason Guiditta 2017-03-06 13:38:49 UTC
As there was no puppet-nova for mitaka, moving to opm

Comment 5 Jason Guiditta 2017-03-13 15:04:03 UTC
Needs puppet-tripleo backport, puppet-nova done

Comment 6 Jason Guiditta 2017-03-13 16:42:59 UTC
No profiles in puppet-tripleo in < netwon, those changes will be made in the related tht BZ #1431673

Comment 11 errata-xmlrpc 2017-06-19 14:49:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 13 Lon Hohberger 2018-08-07 14:55:17 UTC
The bug for which this was filed, openstack-puppet-modules-8.1.13-1.el7ost, was shipped.  Please clone it if an additional fix is needed for openstack-tripleo-heat-templates.

Note You need to log in before you can comment on or make changes to this bug.