I want to totally remove vnc on the VMs created by foreman ie I do not want them to even start up a listening process on port 59XX on the underlying host.
This is both for new VMs and the best way to remove from the current VMs - ideally without reboot…
No vnc listeners on on the KVMs running VMs
Foreman and Proxy versions:
Foreman and Proxy plugin versions:
Distribution and version:
Other relevant data:
I have been digging into our Foreman install and I think we’d have to delete the following line <graphics type='vnc' port='-1' autoport='yes'/>
from /opt/theforeman/tfm/root/usr/share/gems/gems/fog-libvirt-0.2.0/lib/fog/libvirt/requests/compute/mock_files/domain.xml for new VMs.
For current VMs I’m not sure of the best solns as we have ~ 1500 machines, a lot of which are in ‘production’, which has a 24/7 requirement, so we try to avoid reboots if possible.
Thanks for the info anyway.
We’ll have to live with 1.14 for now - changing it is on the TBD list, but it’s a major proj for us in terms of being absolutely sure it won’t break anything.
We’ve apparently got a lot of (old) custom interfacing…
thanks for the info.
Can you tell me where it is exactly?
I’ve had a look but I’m struggling - I use Foreman but know nothing of the internals.
If it’s in a binary, we’ll just have to skip it.
Otoh, if it’s in a src code lang eg ruby etc, we might(?) be prepared to just hack it in-house - “ugly but it works” kind of thing.
We just keep getting dinged each year by the Qualys scan.
We’ve removed virt-viewer & virt-manager pkgs and Foreman creates VMs with unique random strings for passwds, so it’s pretty secure.
However, if I can prevent the listeners on 59XX from even starting up, the scanner tool won’t flag them and it’ll be a load off
I’ll try to get an exception again as we did last year.
With what we’ve already done, no-one could actually use that method (afaik).
I was just interested and wanted to offer an option if possible.
There’s another guy who is the foreman guru , so it’d likely be his job