Re: VNC listen address for KVM

Sat, 05 Jan 2013 03:27:00 -0800 

Hi,

On 01/04/2013 09:09 PM, Wido den Hollander wrote:

Hi,

I just noticed that CLOUDSTACK-411 got resolved which is related to
CLOUDSTACK-410

* https://issues.apache.org/jira/browse/CLOUDSTACK-410
* https://issues.apache.org/jira/browse/CLOUDSTACK-411

Today I made this commit: 7240204a507cce8143c248e6aa635da6dad60ed0

About 7 months ago I already fixed that the listen address for VNC would
be set to the private IP of the hypervisor so that you don't have to
specify vnc_listen in qemu.conf

With vnc listening on 0.0.0.0 you have a potential security issue since
you need a firewall to prevent the whole world connecting to your VNC.

     <graphics type='vnc' port='5907' autoport='yes' listen='10.4.0.67'>
       <listen type='address' address='10.4.0.67'/>
     </graphics>

That's how the XML definition looks like.

With commit 7240204a507cce8143c248e6aa635da6dad60ed0 this works again,
but 30 minutes later I figured out that migrations brake due to this, dôh!

On the other hypervisor that private IP isn't available for binding, so
Qemu won't start...

Instead of reverting the commit I'm now working on changing the XML
during migration. libvirt supports this, but libvirt-java doesn't.

I have a bunch of patches still ready for libvirt-java. Together with
those patches I'll submit this to the libvirt guys next week.
I've pushed the code to my Github mirror for libvirt-java, but this is the most important commit: https://github.com/wido/libvirt-java/commit/b8d939174dfdf1f453d2e549756446bdd1880490 


The method in libvirt-java will be:

migrate(Connect dconn, long flags, String dxml, String dname, String
uri, long bandwidth)

dxml: (optional) XML config for launching guest on target

In LibvirtComputingResource I'll generate a new XML with the private IP
of the new hypervisor and pass that on to the migrate method.
I've just pushed the "kvm-vnc-listen" branch with one commit: https://git-wip-us.apache.org/repos/asf?p=incubator-cloudstack.git;a=commit;h=75b658d4793ac9956b23c07db1aeb4fd63821e73
The reason this single commit is in a separate branch is that the KVM plugin won't compile without the new libvirt-java code.
I'm going to submit the patches to libvirt now and as soon as they release libvirt-java 0.50.0 this can be merged into master. 

Wido


For the 4.1 release libvirt-java 0.5.0 should be out and this should
then work.

No more need for setting vnc_listen in qemu.conf and no potential
security leak of having VNC listening world-wide (assuming your
hypervisor has a public IP).

Just wanted to let you know what I'm working on.

Wido

Reply via email to