[RFE] serial console through shellinabox is not multi-tenant and has no token/password protection

Bug #1660351 reported by George Shuklin on 2017-01-30
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ironic
Confirmed
Wishlist
Unassigned

Bug Description

Current way to configure console (as described in http://docs.openstack.org/developer/ironic/deploy/console.html) is deeply flawed. It creates publicly available password-unprotected http server with boxinashell. Each server receive own port which is specified in the ironic node property (driver_info/ipmi_terminal_port)

1. Manual binding of each server to separate http port is not 'cloud-like' and require manual port management from the administrator. If we imagine small installation of 100-200 servers with periodic installation and removal of servers, it is already almost impossible to be sure that port number is unique for any given new server.
2. http is not secure.
3. There is no means of authorization in the boxinashell instance. Any tenant may scan all opened http ports on the ironic-node (by using IP from own 'http-console' instance) and connect to consoles of other tenants without any problems.

Proposal:

1. boxinashell should bind to local host or to socket.
2. vnc server should be used to translate output of boxinashell to vnc format.
3. nova-novncproxy should be used to support multitenant connection with tokens and/or SSL.

description: updated
Vladyslav Drok (vdrok) wrote :

As for the first point, please see the spec https://review.openstack.org/249876, the 2 and 3 points seem like feature requests to me too, so I added the rfe tag to this.

summary: - serial console through shellinabox is not multi-tenant and has no
+ [RFE] serial console through shellinabox is not multi-tenant and has no
token/password protection
Changed in ironic:
importance: Undecided → Wishlist
tags: added: rfe
milan k (vetrisko) on 2017-11-21
Changed in ironic:
status: New → Confirmed
Ruby Loo (rloo) wrote :

Thanks for submitting this. We discussed it in our ironic meeting today [1] and we'd like a spec that describes the problem in more detail, along with the proposed changes to address it.

[1] http://eavesdrop.openstack.org/meetings/ironic/2017/ironic.2017-12-04-17.00.log.html#l-239
[2] https://docs.openstack.org/ironic/latest/contributor/code-contribution-guide.html#ironic-specs-process

tags: added: needs-spec
Dmitry Tantsur (divius) wrote :

Also if you use Nova as a proxy anyway, why not use the socat serial console?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers