Ensure that VNC only binds on the internal network

When the VNC server is set to bind to 0.0.0.0, unauthenticated console access is possible to any VM via any of the compute host's interfaces. This access should be restricted to an internal network. Change-Id: Ibbc12ae282320f966eec90e9116388233e65eb9a Closes-Bug: #1843004
2019-09-06 10:44:48 +02:00 · 2019-09-06 10:44:48 +02:00 · 82c5027814
commit 82c5027814
parent 4168ffd536
11 changed files with 21 additions and 21 deletions
--- a/templates/icehouse/nova.conf
+++ b/templates/icehouse/nova.conf
@ -47,7 +47,7 @@ metadata_workers = {{ workers }}
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -147,7 +147,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/juno/nova.conf
+++ b/templates/juno/nova.conf
@ -46,7 +46,7 @@ service_neutron_metadata_proxy=True
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -139,7 +139,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/kilo/nova.conf
+++ b/templates/kilo/nova.conf
@ -30,7 +30,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -160,7 +160,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif %}
--- a/templates/liberty/nova.conf
+++ b/templates/liberty/nova.conf
@ -30,7 +30,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -164,7 +164,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/mitaka/nova.conf
+++ b/templates/mitaka/nova.conf
@ -30,7 +30,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -173,7 +173,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/newton/nova.conf
+++ b/templates/newton/nova.conf
@ -30,7 +30,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -179,7 +179,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/ocata/nova.conf
+++ b/templates/ocata/nova.conf
@ -39,7 +39,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -188,7 +188,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/pike/nova.conf
+++ b/templates/pike/nova.conf
@ -39,7 +39,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -196,7 +196,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/queens/nova.conf
+++ b/templates/queens/nova.conf
@ -39,7 +39,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -207,7 +207,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/templates/rocky/nova.conf
+++ b/templates/rocky/nova.conf
@ -39,7 +39,7 @@ libvirt_disk_prefix=vd
 vnc_enabled = True
 novnc_enabled = True
 vnc_keymap = {{ console_keymap }}
-vncserver_listen = 0.0.0.0
+vncserver_listen = {{ console_listen_addr }}
 vncserver_proxyclient_address = {{ console_listen_addr }}
 {% if console_access_protocol == 'novnc' or console_access_protocol == 'vnc' -%}
 novncproxy_base_url = {{ novnc_proxy_address }}
@ -207,7 +207,7 @@ agent_enabled = True
 enabled = True
 html5proxy_base_url = {{ spice_proxy_address }}
 keymap = {{ console_keymap }}
-server_listen = 0.0.0.0
+server_listen = {{ console_listen_addr }}
 server_proxyclient_address = {{ console_listen_addr }}
 {% endif -%}
--- a/tox.ini
+++ b/tox.ini
@ -15,7 +15,7 @@ install_command =
  pip install {opts} {packages}
 commands = stestr run {posargs}
 whitelist_externals = juju
-passenv = HOME TERM AMULET_* CS_API_*
+passenv = HOME TERM AMULET_* CS_API_* OS_*
 [testenv:py27]
 basepython = python2.7