#218 Security issue: Restrict VNC to default host.
Merged 3 years ago by astepano. Opened 3 years ago by till.
till/standard-test-roles vnc  into  master

@@ -56,6 +56,7 @@ 

  

  DEF_USER = "root"

  DEF_PASSWD = "foobar"

+ DEF_HOST = "127.0.0.3"

  

  USER_DATA = """#cloud-config

  users:
@@ -116,7 +117,7 @@ 

          sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

          sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

          try:

-             sock.bind(("127.0.0.3", port))

+             sock.bind((DEF_HOST, port))

          except IOError:

              pass

          else:
@@ -142,7 +143,7 @@ 

                  "-display", "none"]

  

      if diagnose:

-         qemu_cmd += ["-vnc", ":1,to=4095"]

+         qemu_cmd += ["-vnc", DEF_HOST + ":1,to=4095"]

  

      qemu_proc = subprocess.Popen(qemu_cmd, stdout=open(log, 'a'), stderr=subprocess.STDOUT)

  
@@ -219,9 +220,9 @@ 

              # The variables

              variables = {

                  "ansible_port": "{0}".format(port),

-                 "ansible_host": "127.0.0.3",

-                 "ansible_user": "root",

-                 "ansible_ssh_pass": "foobar",

+                 "ansible_host": DEF_HOST,

+                 "ansible_user": DEF_USER,

+                 "ansible_ssh_pass": DEF_PASSWD,

                  "ansible_ssh_private_key_file": identity,

                  "ansible_ssh_common_args": "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

              }
@@ -327,8 +328,13 @@ 

  

      if diagnose:

          sys.stderr.write("\n")

-         sys.stderr.write("DIAGNOSE: ssh -p {0} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "

-                          "root@{1} # password: {2}\n".format(port, "127.0.0.3", "foobar"))

+         sys.stderr.write("DIAGNOSE: ssh -p {port} -o StrictHostKeyChecking=no "

+                          "-o UserKnownHostsFile=/dev/null -i {identity} "

+                          "{user}@{host}\n".format(port=port, identity=identity,

+                                                   user=DEF_USER, host=DEF_HOST

+                                                   )

+                          )

+         sys.stderr.write("DIAGNOSE: Passwort is: {}".format(DEF_PASSWD))

          sys.stderr.write("DIAGNOSE: export ANSIBLE_INVENTORY={0}\n".format(inventory))

          sys.stderr.write("DIAGNOSE: kill {0} # when finished\n".format(os.getpid()))

  

This avoids the VNC server being accidentally exposed. If someone needs
to connect to it, the "vncviewer -via" can be used or ssh with a local
forward (-L).

@till can we put example of vncviewer command to diagnose message?
I think it will be really helpful.

CI check failed with:

/home/jenkins/workspace/str_pr_test/inventory/standard-inventory-qcow2:335:50: E124 closing bracket does not match visual indentation

rebased onto bbcaf8f

3 years ago

In case it is VNC display 12 on the host test-runner that is available via ssh, you can use:
vncviewer -via test-runner :12

Or to connect to a certain port: vncviewer -via test-runner ::6530

pretty please pagure-ci rebuild

CI passed.
Looks good.

Commit 7c106f2 fixes this pull-request

Pull-Request has been merged by astepano

3 years ago

Pull-Request has been merged by astepano

3 years ago