Re: [Openstack-operators] Disable console for an instance
That is an interesting angle. There *should* be a way to limit vnc acces to just the owner via RBAC. If you trust everything else to be setup right that's probbaly sufficient. Putting on my paranoid security hat, I wouldn't trust that. VNC access at least is completely unsecured at the hypervisor side. Of course we have measures in place to prevent anyone directly accessing that (iptable srules on all hypervisors in my case that get checked every 30min by config management). Mistakes happen and if I had hard security needs for a VM I'd want to be sure I had control of that console not rely on my provider (even if I'm my own providerer honestly), so I think there's still value in putting a feature in Nova for this. -Jon On Thu, Oct 27, 2016 at 10:53:15AM -0400, George Mihaiescu wrote: : You're right, it's probably the following you would want changed: : "compute:get_vnc_console": "", : "compute:get_spice_console": "", : "compute:get_rdp_console": "", : "compute:get_serial_console": "", : "compute:get_mks_console": "", : "compute:get_console_output": "", : I thought the use case is to limit console access to users in a shared : project environment, where you might have multiple users seeing each : other instances, and you don't want them to try logging on the console. : You could create a special role that has console access and change the : policy file to reference that role for the "compute:get_vnc_console", : for example. : I don't think you can do it on per-flavor basis. : Cheers, : George : : On Thu, Oct 27, 2016 at 10:24 AM, Blair Bethwaite : <[1]blair.bethwa...@gmail.com> wrote: : : Hi George, : On 27 October 2016 at 16:15, George Mihaiescu : <[2]lmihaie...@gmail.com> wrote: : > Did you try playing with Nova's policy file and limit the scope : for : > "compute_extension:console_output": "" ? : No, interesting idea though... I suspect it's actually the : get_*_console policies we'd need to tweak, I think console_output : probably refers to the console log? Anyway, not quite sure how we'd : craft policy that would enable us to disable these on a per instance : basis though - is it possible to reference image metadata in the : context of the policy rule? : -- : Cheers, : ~Blairo : :References : : 1. mailto:blair.bethwa...@gmail.com : 2. mailto:lmihaie...@gmail.com ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
You're right, it's probably the following you would want changed: "compute:get_vnc_console": "", "compute:get_spice_console": "", "compute:get_rdp_console": "", "compute:get_serial_console": "", "compute:get_mks_console": "", "compute:get_console_output": "", I thought the use case is to limit console access to users in a shared project environment, where you might have multiple users seeing each other instances, and you don't want them to try logging on the console. You could create a special role that has console access and change the policy file to reference that role for the "compute:get_vnc_console", for example. I don't think you can do it on per-flavor basis. Cheers, George On Thu, Oct 27, 2016 at 10:24 AM, Blair Bethwaite wrote: > Hi George, > > On 27 October 2016 at 16:15, George Mihaiescu > wrote: > > Did you try playing with Nova's policy file and limit the scope for > > "compute_extension:console_output": "" ? > > No, interesting idea though... I suspect it's actually the > get_*_console policies we'd need to tweak, I think console_output > probably refers to the console log? Anyway, not quite sure how we'd > craft policy that would enable us to disable these on a per instance > basis though - is it possible to reference image metadata in the > context of the policy rule? > > -- > Cheers, > ~Blairo > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
Lol! I don't mind - Microsoft do support and produce some pretty good research, I just wish they'd fix licensing! On 27 October 2016 at 16:11, Jonathan D. Proulx wrote: > On Thu, Oct 27, 2016 at 04:08:26PM +0200, Blair Bethwaite wrote: > :On 27 October 2016 at 16:02, Jonathan D. Proulx wrote: > :> don't put a getty on the TTY :) > : > :Do you know how to do that with Windows? ...you can see the desire for > :sandboxing now :-). > > Sigh yes I see, http://goodbye-microsoft.com/ has a good solution IMHO > > :-- > :Cheers, > :~Blairo -- Cheers, ~Blairo ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
Hi George, On 27 October 2016 at 16:15, George Mihaiescu wrote: > Did you try playing with Nova's policy file and limit the scope for > "compute_extension:console_output": "" ? No, interesting idea though... I suspect it's actually the get_*_console policies we'd need to tweak, I think console_output probably refers to the console log? Anyway, not quite sure how we'd craft policy that would enable us to disable these on a per instance basis though - is it possible to reference image metadata in the context of the policy rule? -- Cheers, ~Blairo ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
Hi Blair, Did you try playing with Nova's policy file and limit the scope for "compute_extension:console_output": "" ? Cheers, George On Thu, Oct 27, 2016 at 10:08 AM, Blair Bethwaite wrote: > On 27 October 2016 at 16:02, Jonathan D. Proulx wrote: > > don't put a getty on the TTY :) > > Do you know how to do that with Windows? ...you can see the desire for > sandboxing now :-). > > -- > Cheers, > ~Blairo > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
On Thu, Oct 27, 2016 at 04:08:26PM +0200, Blair Bethwaite wrote: :On 27 October 2016 at 16:02, Jonathan D. Proulx wrote: :> don't put a getty on the TTY :) : :Do you know how to do that with Windows? ...you can see the desire for :sandboxing now :-). Sigh yes I see, http://goodbye-microsoft.com/ has a good solution IMHO :-- :Cheers, :~Blairo ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
On 27 October 2016 at 16:02, Jonathan D. Proulx wrote: > don't put a getty on the TTY :) Do you know how to do that with Windows? ...you can see the desire for sandboxing now :-). -- Cheers, ~Blairo ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
On Thu, Oct 27, 2016 at 02:27:48PM +0200, Blair Bethwaite wrote: : Looks like this is not currently possible. Does anyone else have an : interest in such a feature? : I'm thinking about it from the perspective of a public cloud user who : wants to build highly secure / sandboxed instances. Having a virtual : terminal straight into a guest login prompt, especially one that allows : reset of the guest, is not desirable. don't put a getty on the TTY :) Of course there's still race conditions where you could get to boot loader or something. Snarkless answer: I can imagine a use case for wanting to toggle this on a per VM basis but don't actually have one myself. -Jon : : On 13 October 2016 at 04:37, Blair Bethwaite : <[1]blair.bethwa...@gmail.com> wrote: : : Hi all, : : Does anyone know whether there is a way to disable the novnc console : on a per instance basis? : : Cheers, : Blair : : -- : Cheers, : ~Blairo : :References : : 1. mailto:blair.bethwa...@gmail.com :___ :OpenStack-operators mailing list :OpenStack-operators@lists.openstack.org :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Disable console for an instance
Looks like this is not currently possible. Does anyone else have an interest in such a feature? I'm thinking about it from the perspective of a public cloud user who wants to build highly secure / sandboxed instances. Having a virtual terminal straight into a guest login prompt, especially one that allows reset of the guest, is not desirable. On 13 October 2016 at 04:37, Blair Bethwaite wrote: > Hi all, > > Does anyone know whether there is a way to disable the novnc console on a > per instance basis? > > Cheers, > Blair > -- Cheers, ~Blairo ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] Disable console for an instance
Hi all, Does anyone know whether there is a way to disable the novnc console on a per instance basis? Cheers, Blair ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators