7:01 a.m.
Hey,
Node Next will ship Cockpit by default.
When the host is getting installed, Cockpit can be reached by default
over it's port 9090/tcp.
But after the host was added to Engine, Engine/vdsm is setting up it's
own iptables rules which then prevent further access to Cockpit.
How do we want users to control the access to Cockpit? So where shall
users be able to open or close the Cockpit firewall port.
Initially I thought that we can open up the cockpit port by default,
but this might be a security issue.
(Brute force attacks to crack user passwords through the web interface).
- fabian
7:02 a.m.
Btw. This question is now asked for Node, but it also affects other
hosts which are running Cockpit.
- faian
On Fri, Mar 4, 2016 at 1:01 PM, Fabian Deutsch <fdeutsch(a)redhat.com> wrote:
Hey,
Node Next will ship Cockpit by default.
When the host is getting installed, Cockpit can be reached by default
over it's port 9090/tcp.
But after the host was added to Engine, Engine/vdsm is setting up it's
own iptables rules which then prevent further access to Cockpit.
How do we want users to control the access to Cockpit? So where shall
users be able to open or close the Cockpit firewall port.
Initially I thought that we can open up the cockpit port by default,
but this might be a security issue.
(Brute force attacks to crack user passwords through the web interface).
- fabian
--
Fabian Deutsch <fdeutsch(a)redhat.com>
RHEV Hypervisor
Red Hat
7:24 a.m.
I'd open it by default, if the user asks to configure the firewall.
We ask that on host bootstrapping, so one can choose not to let us
configure the firewall if he controls his own firewall configuration.
On Mar 4, 2016 14:02, "Fabian Deutsch" <fdeutsch(a)redhat.com> wrote:
Btw. This question is now asked for Node, but it also affects other
hosts which are running Cockpit.
- faian
On Fri, Mar 4, 2016 at 1:01 PM, Fabian Deutsch <fdeutsch(a)redhat.com>
wrote:
> Hey,
>
> Node Next will ship Cockpit by default.
>
> When the host is getting installed, Cockpit can be reached by default
> over it's port 9090/tcp.
>
> But after the host was added to Engine, Engine/vdsm is setting up it's
> own iptables rules which then prevent further access to Cockpit.
>
> How do we want users to control the access to Cockpit? So where shall
> users be able to open or close the Cockpit firewall port.
>
> Initially I thought that we can open up the cockpit port by default,
> but this might be a security issue.
> (Brute force attacks to crack user passwords through the web interface).
>
> - fabian
--
Fabian Deutsch <fdeutsch(a)redhat.com>
RHEV Hypervisor
Red Hat
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
8:31 a.m.
On Fri, Mar 4, 2016 at 1:24 PM, Oved Ourfali <oourfali(a)redhat.com> wrote:
I'd open it by default, if the user asks to configure the
firewall.
We ask that on host bootstrapping, so one can choose not to let us configure
the firewall if he controls his own firewall configuration.
True - we can couple it with that decision when adding a host.
https://bugzilla.redhat.com/show_bug.cgi?id=1314781
- fabian
On Mar 4, 2016 14:02, "Fabian Deutsch"
<fdeutsch(a)redhat.com> wrote:
>
> Btw. This question is now asked for Node, but it also affects other
> hosts which are running Cockpit.
>
> - faian
>
> On Fri, Mar 4, 2016 at 1:01 PM, Fabian Deutsch <fdeutsch(a)redhat.com>
> wrote:
> > Hey,
> >
> > Node Next will ship Cockpit by default.
> >
> > When the host is getting installed, Cockpit can be reached by default
> > over it's port 9090/tcp.
> >
> > But after the host was added to Engine, Engine/vdsm is setting up it's
> > own iptables rules which then prevent further access to Cockpit.
> >
> > How do we want users to control the access to Cockpit? So where shall
> > users be able to open or close the Cockpit firewall port.
> >
> > Initially I thought that we can open up the cockpit port by default,
> > but this might be a security issue.
> > (Brute force attacks to crack user passwords through the web interface).
> >
> > - fabian
>
>
>
> --
> Fabian Deutsch <fdeutsch(a)redhat.com>
> RHEV Hypervisor
> Red Hat
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
>
--
Fabian Deutsch <fdeutsch(a)redhat.com>
RHEV Hypervisor
Red Hat
7:26 a.m.
On Fri, Mar 4, 2016 at 1:02 PM, Fabian Deutsch <fdeutsch(a)redhat.com> wrote:
Btw. This question is now asked for Node, but it also affects other
hosts which are running Cockpit.
You can add a line with the cockpit firewall port to the sql script which
defines the ports to be opened in ovirt-engine.
- faian
On Fri, Mar 4, 2016 at 1:01 PM, Fabian Deutsch <fdeutsch(a)redhat.com>
wrote:
> Hey,
>
> Node Next will ship Cockpit by default.
>
> When the host is getting installed, Cockpit can be reached by default
> over it's port 9090/tcp.
>
> But after the host was added to Engine, Engine/vdsm is setting up it's
> own iptables rules which then prevent further access to Cockpit.
>
> How do we want users to control the access to Cockpit? So where shall
> users be able to open or close the Cockpit firewall port.
>
> Initially I thought that we can open up the cockpit port by default,
> but this might be a security issue.
> (Brute force attacks to crack user passwords through the web interface).
>
> - fabian
--
Fabian Deutsch <fdeutsch(a)redhat.com>
RHEV Hypervisor
Red Hat
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
8:32 a.m.
On Fri, Mar 4, 2016 at 1:26 PM, Sandro Bonazzola <sbonazzo(a)redhat.com> wrote:
On Fri, Mar 4, 2016 at 1:02 PM, Fabian Deutsch <fdeutsch(a)redhat.com> wrote:
>
> Btw. This question is now asked for Node, but it also affects other
> hosts which are running Cockpit.
>
You can add a line with the cockpit firewall port to the sql script which
defines the ports to be opened in ovirt-engine.
Yep.
My main question was just if we want to open it by default or not.
But Oved's suggestpion is good. We already have the checkbox to ask
wheteher engine/vdsm should manage the firewall.
If yes, the cockpit should also be opened.
- fabian
>
> - faian
>
> On Fri, Mar 4, 2016 at 1:01 PM, Fabian Deutsch <fdeutsch(a)redhat.com>
> wrote:
> > Hey,
> >
> > Node Next will ship Cockpit by default.
> >
> > When the host is getting installed, Cockpit can be reached by default
> > over it's port 9090/tcp.
> >
> > But after the host was added to Engine, Engine/vdsm is setting up it's
> > own iptables rules which then prevent further access to Cockpit.
> >
> > How do we want users to control the access to Cockpit? So where shall
> > users be able to open or close the Cockpit firewall port.
> >
> > Initially I thought that we can open up the cockpit port by default,
> > but this might be a security issue.
> > (Brute force attacks to crack user passwords through the web interface).
> >
> > - fabian
>
>
>
> --
> Fabian Deutsch <fdeutsch(a)redhat.com>
> RHEV Hypervisor
> Red Hat
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
--
Fabian Deutsch <fdeutsch(a)redhat.com>
RHEV Hypervisor
Red Hat
3220
days inactive
3220
days old
5 comments
3 participants
participants (3)
-
Fabian Deutsch -
Oved Ourfali -
Sandro Bonazzola