nova-compute does not open ports for spice/vnc in iptables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
New
|
Undecided
|
Unassigned |
Bug Description
After applying CIS hardening to our nova-compute units, we can no longer access the spice consoles. The consoles remain blank. Mysteriously, some consoles *do* work but not all.
When checking the nova-spriceprox
INFO nova.console.
And then a bit later:
INFO nova.console.
After some investigation it seems port 5906 is no longer accessible because the CIS hardening changes the default firewall policy to DROP.
Spice (and vnc) consoles will use a range of ports starting at 5900.
I noticed that some 59** ports are allowed but not the ones for the consoles that are timing out.
ACCEPT. tcp -- anywhere anywhere tcp dpt:5900
ACCEPT. tcp -- anywhere anywhere tcp dpt:5901
ACCEPT. tcp -- anywhere anywhere tcp dpt:5902
ACCEPT. tcp -- anywhere anywhere tcp dpt:5903
As a work-around, we can manually allow the port range:
iptables -I INPUT -p tcp --dport 5900:5999 -j ACCEPT
iptables-save >/etc/iptables/
tags: | added: cis-hardening |