Bug 1416994 - [BUG] nova vnc server listens on all active interfaces due to hardcoded vncserver_listen value
Summary: [BUG] nova vnc server listens on all active interfaces due to hardcoded vncse...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: async
: 9.0 (Mitaka)
Assignee: Emilien Macchi
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks: 1431673 1613451 1613453
TreeView+ depends on / blocked
 
Reported: 2017-01-26 23:57 UTC by David Hill
Modified: 2021-03-11 14:57 UTC (History)
15 users (show)

Fixed In Version: openstack-puppet-modules-8.1.13-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1431673 1613451 1613453 (view as bug list)
Environment:
Last Closed: 2018-08-07 14:51:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gerrithub.io 351597 0 None None None 2017-03-13 16:42:59 UTC
Launchpad 1660099 0 None None None 2017-01-30 18:44:51 UTC
OpenStack gerrit 426899 0 None MERGED libvirt: allow any binding for vncserver_listen 2020-06-29 19:10:55 UTC
Red Hat Product Errata RHBA-2017:1501 0 normal SHIPPED_LIVE openstack-packstack and openstack-puppet-modules bug fix advisory 2017-06-19 18:46:27 UTC

Description David Hill 2017-01-26 23:57:41 UTC 
Description of problem:
tripleo templates have hard-coded vncserver_listen value

this behavior causes vnc to listen on all ports on compute servers, including the routable ip, allowing connections from anybody.  We would like to set this like: vncserver_proxyclient_address to the internapi network

/usr/share/openstack-tripleo-heat-templates/puppet/manifests/overcloud_compute.pp

if str2bool(hiera('nova::use_ipv6', false)) {
  $vncserver_listen = '::0'
} else {
  $vncserver_listen = '0.0.0.0'
}
class { '::nova::compute::libvirt' :
  vncserver_listen => $vncserver_listen,
}

It's not possible to override this value with yaml parameters


Version-Release number of selected component (if applicable):


How reproducible:
Alaways

Steps to Reproduce:
1. Install openstack-tripleo-heat-templates
2. Look at the code
3.

Actual results:
Cannot override

Expected results:
Would like to override

Additional info:
Comment 1 Emilien Macchi 2017-01-27 21:17:53 UTC 
David, this is not a bug but a feature.
If you want Live Migration to work, the vncserver_listen must be 0.0.0.0. Otherwise, your VM console won't be available anymore when you migrate your VM to another compute.

You can find some documentation here that confirms what I just wrote:
http://docs.openstack.org/admin-guide/compute-remote-console-access.html

I'm closing the bug.
Comment 2 David Hill 2017-01-29 17:59:11 UTC 
Emilien,  We've tested this with the customer and manually changing the VNC listening adress to the IP of the compute node does't seem to affect anything.  Are we sure this is not outdated?
Comment 3 Emilien Macchi 2017-01-30 18:44:26 UTC 
Indeed, it's a bug. Apologize.
Comment 4 Jason Guiditta 2017-03-06 13:38:49 UTC 
As there was no puppet-nova for mitaka, moving to opm
Comment 5 Jason Guiditta 2017-03-13 15:04:03 UTC 
Needs puppet-tripleo backport, puppet-nova done
Comment 6 Jason Guiditta 2017-03-13 16:42:59 UTC 
No profiles in puppet-tripleo in < netwon, those changes will be made in the related tht BZ #1431673
Comment 11 errata-xmlrpc 2017-06-19 14:49:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1501
Comment 13 Lon Hohberger 2018-08-07 14:55:17 UTC 
The bug for which this was filed, openstack-puppet-modules-8.1.13-1.el7ost, was shipped.  Please clone it if an additional fix is needed for openstack-tripleo-heat-templates.
Note You need to log in before you can comment on or make changes to this bug.