Re: [one-users] How to secure VNC access?
Hey Daniel, thanks for following up - I will lock down vnc ports to to only allow access from the frontend to this a try today! Cheers, Nico Daniel Molina [Fri, Feb 13, 2015 at 09:17:55AM +0100]: The novnc-server will translate WebSockets traffic to normal socket traffic, therefore you don't have to expose the host IP to the final user, she will interact with the proxy. Cheers On 10 February 2015 at 11:33, Nico Schottelius nico-opennebula@schottelius.org wrote: Hey, I think I haven't (at least I didn't enable it explicitly). If the novnc-server is enabled, how do I configure the templates? Because at the moment, vnc listens to 0.0.0.0 and is accessible if someone knows the IP and port. Cheers, Nico Daniel Molina [Tue, Feb 10, 2015 at 10:54:36AM +0100]: Hi, Are you using the novnc-server included in OpenNebula? This component uses a websocket proxy, so that you don't have to expose the VNC socket to your users, and it will take care of the different tcp sockets. Cheers On 6 February 2015 at 12:50, Nico Schottelius nico-opennebula@schottelius.org wrote: Good day, we are about to setup our fourth hosting plattform in the next weeks, based on opennebula 4.10.2, ubuntu 14.0 and gluster 3.x (x ~= 4..6). In our tests the VNC socket of the VMs has been exposed on the hosts directly accessible on 0.0.0.0 - for everyone. Given that sunstone will be usable by our customers and VMs will be running on hosts other than the one running sunstone, what is the default secure alternative in opennebula? Do you support vnc / ssh tunneling like described on [0]? This process is pretty neat, because you don't need to expose VNC at all and not care about numbering of tcp sockets. I guess a combination of ssh unix socket tunneling plus spice on the frontend is probably the safest solution - what are your opinions? How do you configure VNC access at the moment? [0] http://www.nico.schottelius.org/blog/tunneling-qemu-kvm-unix-socket-via-ssh/ -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] Looking for support for Sheepdog in Opennebula
Hello, I was wondering what the status of Sheepdog integration in Opennebula is? I have seen the old [0] and new [1] pull request and wonder when the new one will be merged? According to the bugtracker [2], Sheepdog support already exists in Opennebula and the patch originates from May 2014 [3]. We are very keen on testing the sheepdog backend, so if there was a pre-release with sheepdog, we could give you instantly feedback. Cheers, Nico [0] https://github.com/OpenNebula/one/pull/25 [1] https://github.com/OpenNebula/one/pull/40 [2] http://dev.opennebula.org/issues/1118 [3] http://comments.gmane.org/gmane.comp.distributed.opennebula.devel/120 -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] How to secure VNC access?
Hey, I think I haven't (at least I didn't enable it explicitly). If the novnc-server is enabled, how do I configure the templates? Because at the moment, vnc listens to 0.0.0.0 and is accessible if someone knows the IP and port. Cheers, Nico Daniel Molina [Tue, Feb 10, 2015 at 10:54:36AM +0100]: Hi, Are you using the novnc-server included in OpenNebula? This component uses a websocket proxy, so that you don't have to expose the VNC socket to your users, and it will take care of the different tcp sockets. Cheers On 6 February 2015 at 12:50, Nico Schottelius nico-opennebula@schottelius.org wrote: Good day, we are about to setup our fourth hosting plattform in the next weeks, based on opennebula 4.10.2, ubuntu 14.0 and gluster 3.x (x ~= 4..6). In our tests the VNC socket of the VMs has been exposed on the hosts directly accessible on 0.0.0.0 - for everyone. Given that sunstone will be usable by our customers and VMs will be running on hosts other than the one running sunstone, what is the default secure alternative in opennebula? Do you support vnc / ssh tunneling like described on [0]? This process is pretty neat, because you don't need to expose VNC at all and not care about numbering of tcp sockets. I guess a combination of ssh unix socket tunneling plus spice on the frontend is probably the safest solution - what are your opinions? How do you configure VNC access at the moment? [0] http://www.nico.schottelius.org/blog/tunneling-qemu-kvm-unix-socket-via-ssh/ -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] How to secure VNC access?
Good day, we are about to setup our fourth hosting plattform in the next weeks, based on opennebula 4.10.2, ubuntu 14.0 and gluster 3.x (x ~= 4..6). In our tests the VNC socket of the VMs has been exposed on the hosts directly accessible on 0.0.0.0 - for everyone. Given that sunstone will be usable by our customers and VMs will be running on hosts other than the one running sunstone, what is the default secure alternative in opennebula? Do you support vnc / ssh tunneling like described on [0]? This process is pretty neat, because you don't need to expose VNC at all and not care about numbering of tcp sockets. I guess a combination of ssh unix socket tunneling plus spice on the frontend is probably the safest solution - what are your opinions? How do you configure VNC access at the moment? [0] http://www.nico.schottelius.org/blog/tunneling-qemu-kvm-unix-socket-via-ssh/ -- New PGP key: 659B 0D91 E86E 7E24 FD15 69D0 C729 21A1 293F 2D24 ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org