Ironic

  1. Bug #1660351
  2. Activity log

Activity log for bug #1660351

Date Who What changed Old value New value Message
2017-01-30 14:28:25 George Shuklin bug added bug
2017-01-30 14:29:18 George Shuklin description Current way to configure console (as described in http://docs.openstack.org/developer/ironic/deploy/console.html) is deeply flawed. It creates http link to boxinashell instance. Each server receive own port which is specified in the ironic node property (driver_info/ipmi_terminal_port) 1. Manual binding of each server to separate http port is not 'cloud-like' and require manual port management from the administrator. If we imagine small installation of 100-200 servers with periodic installation and removal of servers, it is already almost impossible to be sure that port number is unique for any given new server. 2. http is not secure. 3. There is no means of authorization in the boxinashell instance. Any tenant may scan all opened http ports on the ironic-node (by using IP from own 'http-console' instance) and connect to consoles of other tenants without any problems. Proposal: 1. boxinashell should bind to local host or to socket. 2. vnc server should be used to translate output of boxinashell to vnc format. 3. nova-novncproxy should be used to support multitenant connection with tokens and/or SSL. Current way to configure console (as described in http://docs.openstack.org/developer/ironic/deploy/console.html) is deeply flawed. It creates publicly available password-unprotected http server with boxinashell. Each server receive own port which is specified in the ironic node property (driver_info/ipmi_terminal_port) 1. Manual binding of each server to separate http port is not 'cloud-like' and require manual port management from the administrator. If we imagine small installation of 100-200 servers with periodic installation and removal of servers, it is already almost impossible to be sure that port number is unique for any given new server. 2. http is not secure. 3. There is no means of authorization in the boxinashell instance. Any tenant may scan all opened http ports on the ironic-node (by using IP from own 'http-console' instance) and connect to consoles of other tenants without any problems. Proposal: 1. boxinashell should bind to local host or to socket. 2. vnc server should be used to translate output of boxinashell to vnc format. 3. nova-novncproxy should be used to support multitenant connection with tokens and/or SSL.
2017-03-01 13:20:32 Vladyslav Drok summary serial console through shellinabox is not multi-tenant and has no token/password protection [RFE] serial console through shellinabox is not multi-tenant and has no token/password protection
2017-03-01 13:20:39 Vladyslav Drok ironic: importance Undecided Wishlist
2017-03-01 13:20:51 Vladyslav Drok tags rfe
2017-11-21 17:10:19 milan k ironic: status New Confirmed
2017-12-04 19:23:09 Ruby Loo tags rfe needs-spec rfe
2018-04-11 11:44:31 Uemit Seren bug added subscriber Uemit Seren