Problem:
I want to totally remove vnc on the VMs created by foreman ie I do not want them to even start up a listening process on port 59XX on the underlying host.
This is both for new VMs and the best way to remove from the current VMs - ideally without reboot…
Expected outcome:
No vnc listeners on on the KVMs running VMs
Foreman and Proxy versions:
Foreman 1.14
Foreman and Proxy plugin versions:
Distribution and version:
Centos 7.9
Other relevant data:
I have been digging into our Foreman install and I think we’d have to delete the following line <graphics type='vnc' port='-1' autoport='yes'/>
from /opt/theforeman/tfm/root/usr/share/gems/gems/fog-libvirt-0.2.0/lib/fog/libvirt/requests/compute/mock_files/domain.xml for new VMs.
For current VMs I’m not sure of the best solns as we have ~ 1500 machines, a lot of which are in ‘production’, which has a 24/7 requirement, so we try to avoid reboots if possible.
Thanks for the info anyway.
We’ll have to live with 1.14 for now - changing it is on the TBD list, but it’s a major proj for us in terms of being absolutely sure it won’t break anything.
We’ve apparently got a lot of (old) custom interfacing…
You can just edit that erb file on your instance, just keep in mind that every RPM upgrade of libvirt will overwrite it. You better file that patches or you could be stuck overwriting it forever
thanks for the info.
Can you tell me where it is exactly?
I’ve had a look but I’m struggling - I use Foreman but know nothing of the internals.
If it’s in a binary, we’ll just have to skip it.
Otoh, if it’s in a src code lang eg ruby etc, we might(?) be prepared to just hack it in-house - “ugly but it works” kind of thing.
We just keep getting dinged each year by the Qualys scan.
We’ve removed virt-viewer & virt-manager pkgs and Foreman creates VMs with unique random strings for passwds, so it’s pretty secure.
However, if I can prevent the listeners on 59XX from even starting up, the scanner tool won’t flag them and it’ll be a load off
I’ll try to get an exception again as we did last year.
With what we’ve already done, no-one could actually use that method (afaik).
I was just interested and wanted to offer an option if possible.
There’s another guy who is the foreman guru , so it’d likely be his job