RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 895582 - VNC should listen on 127.0.0.1 and ::1 by default (assuming IPv6 is enabled on the host)
Summary: VNC should listen on 127.0.0.1 and ::1 by default (assuming IPv6 is enabled o...
Keywords:
Status: CLOSED DUPLICATE of bug 1038965
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-15 15:11 UTC by Marco d'Itri
Modified: 2014-04-15 08:54 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-15 08:54:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Marco d'Itri 2013-01-15 15:11:48 UTC 
By default, if no listen attribute is present in the <graphics type='vnc'> tag, libvirt will configure kvm to bind the VNC port to 0.0.0.0.
Libvirt should be changed to use :: by default.
Comment 1 Daniel Berrangé 2013-01-15 15:17:35 UTC 
This is not correct, by default it will bind to 127.0.0.1. Binding to either 0.0.0.0 or :: is a security risk unless the admin has configured some form of authentication
Comment 3 Marco d'Itri 2013-01-15 15:30:18 UTC 
Not a bug, indeed. I forgot that the default is controlled by the vnc_listen directive in /etc/libvirt/qemu.conf, and I had changed it.
Comment 4 Daniel Berrangé 2013-01-15 15:35:32 UTC 
That said, we should probably listen on 127.0.0.1 *and* ::1 (ipv6 localhost addr) by default, rather than only 127.0.0.1, so will keep this bug open.
Comment 5 Wilco Baan Hofman 2013-01-23 15:00:21 UTC 
Shouldn't ::1 be enough? I'd rather we bind to whatever is defined as localhost in /etc/hosts. Is 127.0.0.1 and ::1 defined, bind to both, but if only ::1 is defined, only bind to ::1.

I personally do not run 127.0.0.1 on my localhost interface, only ::1 as I do not run Legacy-IP on my internal networks.
Comment 6 Wilco Baan Hofman 2013-02-06 17:05:39 UTC 
Even better to just bind to whatever getaddrinfo() returns for localhost.
Comment 8 Ján Tomko 2013-06-04 13:24:30 UTC 
We can't listen on both ::1 and 127.0.0.1 since we can only pass one listen address to QEMU.

But we could listen on ::1 on an IPv6-only system.
Comment 9 Marco d'Itri 2013-06-04 13:30:18 UTC 
Listening on :: works fine, just do not forget that you cannot rely on the value of the net.ipv6.bindv6only sysctl, so you should explicitly unset the value:

int off = 0;
if (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_V6ONLY, &off, sizeof (off)) < 0)
   syslog(LOG_ERR, "setsockopt (IPV6_V6ONLY): %m");
Comment 10 Ján Tomko 2013-06-04 13:39:42 UTC 
That's exactly what QEMU does when told to listen on ::.

We just can't do it by default because it might be a security risk.
Comment 11 Daniel Berrangé 2013-06-04 13:56:30 UTC 
(In reply to Wilco Baan Hofman from comment #6)
> Even better to just bind to whatever getaddrinfo() returns for localhost.

Yes, rather than passing  127.0.0.1 or ::1 to QEMU on the command line, we should just pass 'localhost' instead & assume QEMU does the right thing with IPv6 here (which I believe it does).
Comment 12 Ján Tomko 2013-06-05 13:32:08 UTC 
It will listen on either ::1 or 127.0.0.1 (depending on which 'localhost' will resolve to first).

Making it the default will fix IPv6-only systems but it could break systems with both v4 and v6 if it binds to ::1 and the user expects it to listen on 127.0.0.1.
Comment 13 Daniel Berrangé 2013-06-05 13:42:19 UTC 
(In reply to Jan Tomko from comment #12)
> It will listen on either ::1 or 127.0.0.1 (depending on which 'localhost'
> will resolve to first).
> 
> Making it the default will fix IPv6-only systems but it could break systems
> with both v4 and v6 if it binds to ::1 and the user expects it to listen on
> 127.0.0.1.

That's as designed. If the user wants things to only listen on 127.0.0.1 on a dual v4,v6 host, then they will have updated /etc/hosts to change what 'localhost' points to. In addition they still have the option of overriding this in libvirt itself.
Comment 17 Jiri Denemark 2014-04-04 21:37:40 UTC 
This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product.
Comment 18 Ján Tomko 2014-04-15 08:54:26 UTC 
We already have a bug against Red Hat Enterprise Linux 7 for this.

*** This bug has been marked as a duplicate of bug 1038965 ***
Note You need to log in before you can comment on or make changes to this bug.