[RFE] serial console through shellinabox is not multi-tenant and has no token/password protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Current way to configure console (as described in http://
1. Manual binding of each server to separate http port is not 'cloud-like' and require manual port management from the administrator. If we imagine small installation of 100-200 servers with periodic installation and removal of servers, it is already almost impossible to be sure that port number is unique for any given new server.
2. http is not secure.
3. There is no means of authorization in the boxinashell instance. Any tenant may scan all opened http ports on the ironic-node (by using IP from own 'http-console' instance) and connect to consoles of other tenants without any problems.
Proposal:
1. boxinashell should bind to local host or to socket.
2. vnc server should be used to translate output of boxinashell to vnc format.
3. nova-novncproxy should be used to support multitenant connection with tokens and/or SSL.
As for the first point, please see the spec https:/ /review. openstack. org/249876, the 2 and 3 points seem like feature requests to me too, so I added the rfe tag to this.