Bug 1431673 - [BUG] nova vnc server listens on all active interfaces due to hardcoded vncserver_listen value
Summary: [BUG] nova vnc server listens on all active interfaces due to hardcoded vncse...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 9.0 (Mitaka)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: async
: 9.0 (Mitaka)
Assignee: Emilien Macchi
QA Contact: awaugama
URL:
Whiteboard:
Depends On: 1416994 1613451 1613453
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-13 15:05 UTC by Jason Guiditta
Modified: 2021-03-11 15:02 UTC (History)
18 users (show)

Fixed In Version: openstack-tripleo-heat-templates-2.0.0-56.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of: 1416994
Environment:
Last Closed: 2017-06-19 14:47:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1660099 0 None None None 2017-03-13 15:05:56 UTC
OpenStack gerrit 442093 0 None MERGED Configure VNC Server listen address through t-h-t 2020-06-29 19:11:54 UTC
Red Hat Product Errata RHSA-2017:1504 0 normal SHIPPED_LIVE Important: Red Hat OpenStack Platform director security update 2017-06-19 18:45:36 UTC

Description Jason Guiditta 2017-03-13 15:05:57 UTC
+++ This bug was initially created as a clone of Bug #1416994 +++

Description of problem:
tripleo templates have hard-coded vncserver_listen value

this behavior causes vnc to listen on all ports on compute servers, including the routable ip, allowing connections from anybody.  We would like to set this like: vncserver_proxyclient_address to the internapi network

/usr/share/openstack-tripleo-heat-templates/puppet/manifests/overcloud_compute.pp

if str2bool(hiera('nova::use_ipv6', false)) {
  $vncserver_listen = '::0'
} else {
  $vncserver_listen = '0.0.0.0'
}
class { '::nova::compute::libvirt' :
  vncserver_listen => $vncserver_listen,
}

It's not possible to override this value with yaml parameters


Version-Release number of selected component (if applicable):


How reproducible:
Alaways

Steps to Reproduce:
1. Install openstack-tripleo-heat-templates
2. Look at the code
3.

Actual results:
Cannot override

Expected results:
Would like to override

Additional info:

--- Additional comment from Emilien Macchi on 2017-01-27 16:17:53 EST ---

David, this is not a bug but a feature.
If you want Live Migration to work, the vncserver_listen must be 0.0.0.0. Otherwise, your VM console won't be available anymore when you migrate your VM to another compute.

You can find some documentation here that confirms what I just wrote:
http://docs.openstack.org/admin-guide/compute-remote-console-access.html

I'm closing the bug.

--- Additional comment from David Hill on 2017-01-29 12:59:11 EST ---

Emilien,  We've tested this with the customer and manually changing the VNC listening adress to the IP of the compute node does't seem to affect anything.  Are we sure this is not outdated?

--- Additional comment from Emilien Macchi on 2017-01-30 13:44:26 EST ---

Indeed, it's a bug. Apologize.

--- Additional comment from Jason Guiditta on 2017-03-06 08:38:49 EST ---

As there was no puppet-nova for mitaka, moving to opm

--- Additional comment from Jason Guiditta on 2017-03-13 11:04:03 EDT ---

Needs puppet-tripleo backport, puppet-nova done

Comment 1 Red Hat Bugzilla Rules Engine 2017-03-13 15:06:12 UTC
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.

Comment 8 errata-xmlrpc 2017-06-19 14:47:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1504

Comment 13 Emilien Macchi 2017-07-05 16:18:21 UTC
@Alex, thanks for the confirmation, let's see if Nilesh still have the problem with the z3 update.


Note You need to log in before you can comment on or make changes to this bug.