OpenStack Nova Compute Charm

nova-compute does not open ports for spice/vnc in iptables

Bug #2064216 reported by Vern Hart
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
New
Undecided
Unassigned

Bug Description

After applying CIS hardening to our nova-compute units, we can no longer access the spice consoles. The consoles remain blank. Mysteriously, some consoles *do* work but not all.
When checking the nova-spriceproxy.log on the nova-cloud-controllers we found:

    INFO nova.console.websocketproxy [req-xxx - - - - -] 645: connect info: ConsoleAuthToken(access_url_base='https://nova-api:6082/spice_auto.html',console_type='spice-html5',created_at=2024-04-30T09:15:11Z,jost'10.10.10.17',id=100,instance_uuid=xxx,internal_access_path=None,port=5906,token='***',updated_at=None)

And then a bit later:

    INFO nova.console.websocketproxy [req-xxx - - - - -] 10.10.10.230 - - [30/Apr/2024 09:22:21] Request timed out: TimeoutError(110, 'ETIMEDOUT')

After some investigation it seems port 5906 is no longer accessible because the CIS hardening changes the default firewall policy to DROP.

Spice (and vnc) consoles will use a range of ports starting at 5900.

I noticed that some 59** ports are allowed but not the ones for the consoles that are timing out.

    ACCEPT. tcp -- anywhere anywhere tcp dpt:5900
    ACCEPT. tcp -- anywhere anywhere tcp dpt:5901
    ACCEPT. tcp -- anywhere anywhere tcp dpt:5902
    ACCEPT. tcp -- anywhere anywhere tcp dpt:5903

As a work-around, we can manually allow the port range:

    iptables -I INPUT -p tcp --dport 5900:5999 -j ACCEPT
    iptables-save >/etc/iptables/rules.v4

Vern Hart (vern)
tags: added: cis-hardening
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.