Re: [Engine-devel] Adding VNC support

From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt(a)kohlvanwijngaarden.nl&gt; To: engine-devel(a)ovirt.org Sent: Tuesday, July 31, 2012 1:00:43 PM Subject: Re: [Engine-devel] Adding VNC support On Tue, Jul 31, 2012 at 10:09:26AM +0100, Daniel P. Berrange wrote: > On Tue, Jul 31, 2012 at 09:18:50AM +0300, Itamar Heim wrote: > > On 07/26/2012 05:36 PM, snmishra(a)linux.vnet.ibm.com wrote: > > 5.2 novnc websocket server - i see three options > > > > 5.2.1 extend qemu to do this, so novnc can connect to it directly > > like we do today for vnc/spice > > I don't think this is a desirable approach. One of the nice > benefits > you gain from using a websocket proxy is that you only need to have > one single TCP port exposed to the internet now. If you put > websockets > in QEMU itself, you'd be stuck with having to open your firewall to > allow 100's of ports. With a separate web proxy, you can even make > each QEMU server now use a local UNIX socket for their VNC server, > since only the proxy needs to be able to connect. This means that > the VNC server would no longer be exposed to random local user > access too. Another benefit of a proxy is that you can run it in a DMZ and not have to expose all your virtualization hosts to the internet.