Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1431673 - [BUG] nova vnc server listens on all active interfaces due to hardcoded vncserver_listen value
[BUG] nova vnc server listens on all active interfaces due to hardcoded vncse...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates (Show other bugs)
9.0 (Mitaka)
x86_64 Linux
high Severity high
: async
: 9.0 (Mitaka)
Assigned To: Emilien Macchi
awaugama
: Reopened, Triaged, ZStream
Depends On: 1613451 1416994 1613453
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-13 11:05 EDT by Jason Guiditta
Modified: 2018-08-07 11:10 EDT (History)
18 users (show)

See Also:
Fixed In Version: openstack-tripleo-heat-templates-2.0.0-56.el7ost
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1416994
Environment:
Last Closed: 2017-06-19 10:47:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1660099 None None None 2017-03-13 11:05 EDT
OpenStack gerrit 442093 None None None 2017-03-13 11:05 EDT
Red Hat Product Errata RHSA-2017:1504 normal SHIPPED_LIVE Important: Red Hat OpenStack Platform director security update 2017-06-19 14:45:36 EDT

  None (edit)
Description Jason Guiditta 2017-03-13 11:05:57 EDT 
+++ This bug was initially created as a clone of Bug #1416994 +++

Description of problem:
tripleo templates have hard-coded vncserver_listen value

this behavior causes vnc to listen on all ports on compute servers, including the routable ip, allowing connections from anybody.  We would like to set this like: vncserver_proxyclient_address to the internapi network

/usr/share/openstack-tripleo-heat-templates/puppet/manifests/overcloud_compute.pp

if str2bool(hiera('nova::use_ipv6', false)) {
  $vncserver_listen = '::0'
} else {
  $vncserver_listen = '0.0.0.0'
}
class { '::nova::compute::libvirt' :
  vncserver_listen => $vncserver_listen,
}

It's not possible to override this value with yaml parameters


Version-Release number of selected component (if applicable):


How reproducible:
Alaways

Steps to Reproduce:
1. Install openstack-tripleo-heat-templates
2. Look at the code
3.

Actual results:
Cannot override

Expected results:
Would like to override

Additional info:

--- Additional comment from Emilien Macchi on 2017-01-27 16:17:53 EST ---

David, this is not a bug but a feature.
If you want Live Migration to work, the vncserver_listen must be 0.0.0.0. Otherwise, your VM console won't be available anymore when you migrate your VM to another compute.

You can find some documentation here that confirms what I just wrote:
http://docs.openstack.org/admin-guide/compute-remote-console-access.html

I'm closing the bug.

--- Additional comment from David Hill on 2017-01-29 12:59:11 EST ---

Emilien,  We've tested this with the customer and manually changing the VNC listening adress to the IP of the compute node does't seem to affect anything.  Are we sure this is not outdated?

--- Additional comment from Emilien Macchi on 2017-01-30 13:44:26 EST ---

Indeed, it's a bug. Apologize.

--- Additional comment from Jason Guiditta on 2017-03-06 08:38:49 EST ---

As there was no puppet-nova for mitaka, moving to opm

--- Additional comment from Jason Guiditta on 2017-03-13 11:04:03 EDT ---

Needs puppet-tripleo backport, puppet-nova done
Comment 1 Red Hat Bugzilla Rules Engine 2017-03-13 11:06:12 EDT 
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.
Comment 8 errata-xmlrpc 2017-06-19 10:47:28 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1504
Comment 13 Emilien Macchi 2017-07-05 12:18:21 EDT 
@Alex, thanks for the confirmation, let's see if Nilesh still have the problem with the z3 update.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.