Unhardcode vncserver_listen option for mitaka/newton
We bind vnc for instance on all IPs at the moment, which has
negative security impact as when user has access to any of IPs of
compute host it can brute force VNC ports and connect to running
consoles.
This patch allows to bind VNC to specific IP by setting
nova:compute:bind:vnc_address option.
Change-Id: I9a5cda9e3fe17391e1caf0e51a950e7e56959aa1
Related-Prod: PROD-19011
diff --git a/nova/files/mitaka/nova-compute.conf.Debian b/nova/files/mitaka/nova-compute.conf.Debian
index 11f89c7..a3a8f14 100644
--- a/nova/files/mitaka/nova-compute.conf.Debian
+++ b/nova/files/mitaka/nova-compute.conf.Debian
@@ -110,7 +110,11 @@
enabled = true
novncproxy_base_url={{ compute.vncproxy_url }}/vnc_auto.html
novncproxy_port={{ compute.bind.vnc_port }}
+{%- if compute.bind.vnc_address is defined %}
+vncserver_listen={{ compute.bind.vnc_address }}
+{%- else %}
vncserver_listen=0.0.0.0
+{%- endif %}
vncserver_proxyclient_address={{ compute.bind.vnc_address }}
keymap = {{ compute.get('vnc_keymap', 'en-us') }}
diff --git a/nova/files/newton/nova-compute.conf.Debian b/nova/files/newton/nova-compute.conf.Debian
index 1c0fce9..0d63bae 100644
--- a/nova/files/newton/nova-compute.conf.Debian
+++ b/nova/files/newton/nova-compute.conf.Debian
@@ -159,9 +159,13 @@
{%- if compute.get('bind', {}).get('vnc_port') %}
novncproxy_port={{ compute.bind.vnc_port }}
{%- endif %}
-vncserver_listen=0.0.0.0
-{%- if compute.get('bind', {}).get('vnc_address') %}
+{%- if compute.bind is defined %}
+{%- if compute.bind.vnc_address is defined %}
+vncserver_listen={{ compute.bind.vnc_address }}
vncserver_proxyclient_address={{ compute.bind.vnc_address }}
+{%- else %}
+vncserver_listen=0.0.0.0
+{%- endif %}
{%- endif %}
keymap = {{ compute.get('vnc_keymap', 'en-us') }}