cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edison Su <Edison...@citrix.com>
Subject RE: VNC listen address for KVM
Date Thu, 21 Mar 2013 23:11:56 GMT
At least, need to revert the following change:
-               GraphicDef grap = new GraphicDef("vnc", (short) 0, true, null, null,
+               GraphicDef grap = new GraphicDef("vnc", (short) 0, true, vmTO.getVncAddr(),
null,
                                null);

in LibvirtComputingResource in 4.1, otherwise, live migration will not work as Wido pointed
out.

> -----Original Message-----
> From: Marcus Sorensen [mailto:shadowsor@gmail.com]
> Sent: Thursday, March 21, 2013 2:02 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: VNC listen address for KVM
> 
> To be clear, it doesn't break consoleproxy for me, but it breaks migration as
> wido mentions in his long first post. I think he intended to fix it with the new
> libvirt 0.5.0 bindings rather than roll back, but it didn't happen before the cut.
> It should probably be rolled back on both 4.1 and master at this point, lest it
> be forgotten, and he can add it back in once we for certain have the new
> libvirt bindings and fix.
> 
> On Thu, Mar 21, 2013 at 2:46 PM, Marcus Sorensen <shadowsor@gmail.com>
> wrote:
> > The change was in server side code, so maybe.
> >
> > On Jan 4, 2013 1:09 PM, "Wido den Hollander" <wido@widodh.nl> wrote:
> >>
> >> Hi,
> >>
> >> I just noticed that CLOUDSTACK-411 got resolved which is related to
> >> CLOUDSTACK-410
> >>
> >> * https://issues.apache.org/jira/browse/CLOUDSTACK-410
> >> * https://issues.apache.org/jira/browse/CLOUDSTACK-411
> >>
> >> Today I made this commit: 7240204a507cce8143c248e6aa635da6dad60ed0
> >>
> >> About 7 months ago I already fixed that the listen address for VNC
> >> would be set to the private IP of the hypervisor so that you don't
> >> have to specify vnc_listen in qemu.conf
> >>
> >> With vnc listening on 0.0.0.0 you have a potential security issue
> >> since you need a firewall to prevent the whole world connecting to your
> VNC.
> >>
> >>     <graphics type='vnc' port='5907' autoport='yes' listen='10.4.0.67'>
> >>       <listen type='address' address='10.4.0.67'/>
> >>     </graphics>
> >>
> >> That's how the XML definition looks like.
> >>
> >> With commit 7240204a507cce8143c248e6aa635da6dad60ed0 this works
> >> again, but
> >> 30 minutes later I figured out that migrations brake due to this, dôh!
> >>
> >> On the other hypervisor that private IP isn't available for binding,
> >> so Qemu won't start...
> >>
> >> Instead of reverting the commit I'm now working on changing the XML
> >> during migration. libvirt supports this, but libvirt-java doesn't.
> >>
> >> I have a bunch of patches still ready for libvirt-java. Together with
> >> those patches I'll submit this to the libvirt guys next week.
> >>
> >> The method in libvirt-java will be:
> >>
> >> migrate(Connect dconn, long flags, String dxml, String dname, String
> >> uri, long bandwidth)
> >>
> >> dxml: (optional) XML config for launching guest on target
> >>
> >> In LibvirtComputingResource I'll generate a new XML with the private
> >> IP of the new hypervisor and pass that on to the migrate method.
> >>
> >> For the 4.1 release libvirt-java 0.5.0 should be out and this should
> >> then work.
> >>
> >> No more need for setting vnc_listen in qemu.conf and no potential
> >> security leak of having VNC listening world-wide (assuming your
> >> hypervisor has a public IP).
> >>
> >> Just wanted to let you know what I'm working on.
> >>
> >> Wido

Mime
View raw message