<div dir="ltr"><div>No you aren't missing something, a firewall would be probably be enough if we didn't change nova :P I also feel that #2 is too drastic now, but #1 should be done I guess.</div><div><br></div><div>
I didn't mention something before about why we can't use a firewall for this: We did some dirty changes to enable spice and disabled auto_port for both vnc and spice, so people can access their virtual machines using spice with a password on a specific port. The company I work for was already using this since the E version and in our next version we will start to use the official spice implementation of openstack. Our current version has possible bugs also.</div>
<div><br></div><div>Disabling all ports isn't an option in our current state because we still want to enable spice. We currently have a prefixed range of ports reserved for spice 30000 to 40000 that should be accessible from the outside. Those parts may be used by VNC and/or spice currently (We have disabled autoport of vnc and spice and let them use the prefixed range).</div>
<div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 3, 2013 at 6:11 PM, Mac Innes, Kiall <span dir="ltr"><<a href="mailto:kiall@hp.com" target="_blank">kiall@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 03/04/13 11:03, Sam Stoelinga wrote:<br>
> To prevent this happening to somebody else we could do the following:<br>
> 1. In the documentation explicitly tell the user that when you enable<br>
> multi_host that you can't use vncserver_listen=0.0.0.0<br>
> 2. Do some sanity checks on nova.conf options, if we notice that<br>
> vncserver_listen: 0.0.0.0 and multi_host true, we don't allow starting<br>
> the nova-compute service and give a clear error message saying that it's<br>
> stupid to do something like that and what the user should do instead.<br>
<br>
</div>I'm probably missing something here, but would a simple firewall not work?<br>
<br>
#2 seems drastic to me, and #1 could be amended to mention the need for<br>
a firewall instead..<br>
<br>
Kiall Mac Innes<br>
HP Cloud Services - DNSaaS<br>
<br>
Mobile: <a href="tel:%2B353%2086%20345%209333" value="+353863459333">+353 86 345 9333</a><br>
Landline: <a href="tel:%2B353%201%20524%202177" value="+35315242177">+353 1 524 2177</a><br>
GPG: E9498407<br>
</blockquote></div><br></div>