Remove VNC on VMs created by Foreman

Chris2 · June 7, 2021, 5:20am

Problem:
I want to totally remove vnc on the VMs created by foreman ie I do not want them to even start up a listening process on port 59XX on the underlying host.

This is both for new VMs and the best way to remove from the current VMs - ideally without reboot…

Expected outcome:
No vnc listeners on on the KVMs running VMs

Foreman and Proxy versions:
Foreman 1.14

Foreman and Proxy plugin versions:

Distribution and version:
Centos 7.9

Other relevant data:

I have been digging into our Foreman install and I think we’d have to delete the following line
<graphics type='vnc' port='-1' autoport='yes'/>
from /opt/theforeman/tfm/root/usr/share/gems/gems/fog-libvirt-0.2.0/lib/fog/libvirt/requests/compute/mock_files/domain.xml for new VMs.

For current VMs I’m not sure of the best solns as we have ~ 1500 machines, a lot of which are in ‘production’, which has a 24/7 requirement, so we try to avoid reboots if possible.

I’d like to know if there is a better way.

lzap · June 7, 2021, 7:58am

Unfortunately, this is hardcoded in the library Foreman use:

Feel free to file a PR that will add an argument that can be used than in the ERB template. Only then this can be implemented in Foreman.

ekohl · June 7, 2021, 8:24am

This version is very old and has long been unsupported. I’d strongly recommend you to update it.

Mock files are just for testing I think.

Here is the actual code (in today’s version of fog-libvirt) that adds it:

github.com

fog/fog-libvirt/blob/783e7fa7cdf3ba34cf826e81e03848cd17b686c9/lib/fog/libvirt/models/compute/templates/server.xml.erb#L129-L153


<%
display_type = display[:type]
if display[:port].empty?
  display_port = display[:port]
  autoport = 'no'
else
  display_port = '-1'
  autoport = 'yes'
end
unless display[:listen].empty?
  display_listen = "listen='#{display[:listen]}'"
end
unless display[:password].empty?
  display_password = "passwd='#{display[:password]}'"
end
-%>
<% if arch != "s390x" -%>

This file has been truncated. show original

Currently Foreman only allows VNC and spice as consoles, but it would need to allow an empty value too:

github.com

theforeman/foreman/blob/a6f1b86920ec68bf351e8320d26377b8005db6ff/app/models/compute_resources/foreman/model/libvirt.rb#L5


module Foreman::Model
  class Libvirt < ComputeResource
    include ComputeResourceConsoleCommon
    ALLOWED_DISPLAY_TYPES = %w(vnc spice)
    # 'custom' is not implemented. This needs extra UI.
    CPU_MODES = %w(default host-model host-passthrough)
    validates :url, :format => { :with => URI::DEFAULT_PARSER.make_regexp }, :presence => true
    validates :display_type, :inclusion => { :in => ALLOWED_DISPLAY_TYPES }
    def self.available?
      Fog::Compute.providers.include?(:libvirt)
    end

Note that these are the current versions of the code. 1.14 is very old so it may be different.

Chris2 · June 8, 2021, 6:09am

Thanks for the info anyway.
We’ll have to live with 1.14 for now - changing it is on the TBD list, but it’s a major proj for us in terms of being absolutely sure it won’t break anything.
We’ve apparently got a lot of (old) custom interfacing…

lzap · June 8, 2021, 6:10am

You can just edit that erb file on your instance, just keep in mind that every RPM upgrade of libvirt will overwrite it. You better file that patches or you could be stuck overwriting it forever

Chris2 · June 8, 2021, 6:15am

Hey mate,

thanks for the info.
Can you tell me where it is exactly?

I’ve had a look but I’m struggling - I use Foreman but know nothing of the internals.
If it’s in a binary, we’ll just have to skip it.
Otoh, if it’s in a src code lang eg ruby etc, we might(?) be prepared to just hack it in-house - “ugly but it works” kind of thing.

We just keep getting dinged each year by the Qualys scan.
We’ve removed virt-viewer & virt-manager pkgs and Foreman creates VMs with unique random strings for passwds, so it’s pretty secure.

However, if I can prevent the listeners on 59XX from even starting up, the scanner tool won’t flag them and it’ll be a load off

lzap · June 8, 2021, 7:23am

Edit this file and restart Foreman:

# locate server.xml.erb
/opt/theforeman/tfm/root/usr/share/gems/gems/fog-libvirt-0.7.0/lib/fog/libvirt/models/compute/templates/server.xml.erb

Chris2 · June 8, 2021, 11:10pm

Yeah

I’ll try to get an exception again as we did last year.
With what we’ve already done, no-one could actually use that method (afaik).
I was just interested and wanted to offer an option if possible.
There’s another guy who is the foreman guru , so it’d likely be his job