Unhardcode vncserver_listen option
We bind vnc for instance on all IPs at the moment, which has
negative security impact as when user has access to any of IPs of
compute host it can brute force VNC ports and connect to running
consoles.
This patch allows to bind VNC to specific IP by setting
nova:compute:bind:vnc_address option.
Related-Prod: PROD-19011
Change-Id: I67dc4e78ef4830d118ac0db579bd8e6897faeef6
diff --git a/nova/files/ocata/nova-compute.conf.Debian b/nova/files/ocata/nova-compute.conf.Debian
index 8e8b3de..d7854af 100644
--- a/nova/files/ocata/nova-compute.conf.Debian
+++ b/nova/files/ocata/nova-compute.conf.Debian
@@ -9929,9 +9929,13 @@
{%- if compute.bind is defined and compute.bind.vnc_port is defined %}
novncproxy_port={{ compute.bind.vnc_port }}
{%- endif %}
-vncserver_listen=0.0.0.0
-{%- if compute.bind is defined and compute.bind.vnc_address is defined %}
+{%- if compute.bind is defined %}
+{%- if compute.bind.vnc_address is defined %}
+vncserver_listen={{ compute.bind.vnc_address }}
vncserver_proxyclient_address={{ compute.bind.vnc_address }}
+{%- else %}
+vncserver_listen=0.0.0.0
+{%- endif %}
{%- endif %}
keymap = {{ compute.get('vnc_keymap', 'en-us') }}
diff --git a/nova/files/pike/nova-compute.conf.Debian b/nova/files/pike/nova-compute.conf.Debian
index 8e8b3de..d7854af 100644
--- a/nova/files/pike/nova-compute.conf.Debian
+++ b/nova/files/pike/nova-compute.conf.Debian
@@ -9929,9 +9929,13 @@
{%- if compute.bind is defined and compute.bind.vnc_port is defined %}
novncproxy_port={{ compute.bind.vnc_port }}
{%- endif %}
-vncserver_listen=0.0.0.0
-{%- if compute.bind is defined and compute.bind.vnc_address is defined %}
+{%- if compute.bind is defined %}
+{%- if compute.bind.vnc_address is defined %}
+vncserver_listen={{ compute.bind.vnc_address }}
vncserver_proxyclient_address={{ compute.bind.vnc_address }}
+{%- else %}
+vncserver_listen=0.0.0.0
+{%- endif %}
{%- endif %}
keymap = {{ compute.get('vnc_keymap', 'en-us') }}