Ironic

  1. Bug #1660351
  2. Comment #0

Comment 0 for bug 1660351

Revision history for this message
George Shuklin (george-shuklin) wrote : serial console through shellinabox is not multi-tenant and has no token/password protection

Current way to configure console (as described in http://docs.openstack.org/developer/ironic/deploy/console.html) is deeply flawed. It creates http link to boxinashell instance. Each server receive own port which is specified in the ironic node property (driver_info/ipmi_terminal_port)

1. Manual binding of each server to separate http port is not 'cloud-like' and require manual port management from the administrator. If we imagine small installation of 100-200 servers with periodic installation and removal of servers, it is already almost impossible to be sure that port number is unique for any given new server.
2. http is not secure.
3. There is no means of authorization in the boxinashell instance. Any tenant may scan all opened http ports on the ironic-node (by using IP from own 'http-console' instance) and connect to consoles of other tenants without any problems.

Proposal:

1. boxinashell should bind to local host or to socket.
2. vnc server should be used to translate output of boxinashell to vnc format.
3. nova-novncproxy should be used to support multitenant connection with tokens and/or SSL.