[ovirt-devel] Allow access to Cockpit by default after adding a host? Or make it configurable in Engine?

[Fabian Deutsch]

On Fri, Mar 4, 2016 at 1:26 PM, Sandro Bonazzola <sbonazzo at redhat.com> wrote:
>
>
> On Fri, Mar 4, 2016 at 1:02 PM, Fabian Deutsch <fdeutsch at redhat.com> wrote:
>>
>> Btw. This question is now asked for Node, but it also affects other
>> hosts which are running Cockpit.
>>
>
> You can add a line with the cockpit firewall port to the sql script which
> defines the ports to be opened in ovirt-engine.

Yep.
My main question was just if we want to open it by default or not.

But Oved's suggestpion is good. We already have the checkbox to ask
wheteher engine/vdsm should manage the firewall.
If yes, the cockpit should also be opened.

- fabian

>
>
>>
>> - faian
>>
>> On Fri, Mar 4, 2016 at 1:01 PM, Fabian Deutsch <fdeutsch at redhat.com>
>> wrote:
>> > Hey,
>> >
>> > Node Next will ship Cockpit by default.
>> >
>> > When the host is getting installed, Cockpit can be reached by default
>> > over it's port 9090/tcp.
>> >
>> > But after the host was added to Engine, Engine/vdsm is setting up it's
>> > own iptables rules which then prevent further access to Cockpit.
>> >
>> > How do we want users to control the access to Cockpit? So where shall
>> > users be able to open or close the Cockpit firewall port.
>> >
>> > Initially I thought that we can open up the cockpit port by default,
>> > but this might be a security issue.
>> > (Brute force attacks to crack user passwords through the web interface).
>> >
>> > - fabian
>>
>>
>>
>> --
>> Fabian Deutsch <fdeutsch at redhat.com>
>> RHEV Hypervisor
>> Red Hat
>> _______________________________________________
>> Devel mailing list
>> Devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/devel
>
>
>
>
> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboration.
> See how it works at redhat.com



-- 
Fabian Deutsch <fdeutsch at redhat.com>
RHEV Hypervisor
Red Hat