Remove VNC on VMs created by Foreman

I want to totally remove vnc on the VMs created by foreman ie I do not want them to even start up a listening process on port 59XX on the underlying host.

This is both for new VMs and the best way to remove from the current VMs - ideally without reboot…

Expected outcome:
No vnc listeners on on the KVMs running VMs

Foreman and Proxy versions:
Foreman 1.14

Foreman and Proxy plugin versions:

Distribution and version:
Centos 7.9

Other relevant data:

I have been digging into our Foreman install and I think we’d have to delete the following line
<graphics type='vnc' port='-1' autoport='yes'/>
from /opt/theforeman/tfm/root/usr/share/gems/gems/fog-libvirt-0.2.0/lib/fog/libvirt/requests/compute/mock_files/domain.xml for new VMs.

For current VMs I’m not sure of the best solns as we have ~ 1500 machines, a lot of which are in ‘production’, which has a 24/7 requirement, so we try to avoid reboots if possible.

I’d like to know if there is a better way.

Unfortunately, this is hardcoded in the library Foreman use:

Feel free to file a PR that will add an argument that can be used than in the ERB template. Only then this can be implemented in Foreman.

This version is very old and has long been unsupported. I’d strongly recommend you to update it.

Mock files are just for testing I think.

Here is the actual code (in today’s version of fog-libvirt) that adds it:

Currently Foreman only allows VNC and spice as consoles, but it would need to allow an empty value too:

Note that these are the current versions of the code. 1.14 is very old so it may be different.

Thanks for the info anyway.
We’ll have to live with 1.14 for now - changing it is on the TBD list, but it’s a major proj for us in terms of being absolutely sure it won’t break anything.
We’ve apparently got a lot of (old) custom interfacing…

You can just edit that erb file on your instance, just keep in mind that every RPM upgrade of libvirt will overwrite it. You better file that patches or you could be stuck overwriting it forever :slight_smile:

Hey mate,

thanks for the info.
Can you tell me where it is exactly?

I’ve had a look but I’m struggling - I use Foreman but know nothing of the internals.
If it’s in a binary, we’ll just have to skip it.
Otoh, if it’s in a src code lang eg ruby etc, we might(?) be prepared to just hack it in-house - “ugly but it works” kind of thing.

We just keep getting dinged each year by the Qualys scan.
We’ve removed virt-viewer & virt-manager pkgs and Foreman creates VMs with unique random strings for passwds, so it’s pretty secure.

However, if I can prevent the listeners on 59XX from even starting up, the scanner tool won’t flag them and it’ll be a load off :wink:

Edit this file and restart Foreman:

# locate server.xml.erb

Yeah :wink:

I’ll try to get an exception again as we did last year.
With what we’ve already done, no-one could actually use that method (afaik).
I was just interested and wanted to offer an option if possible.
There’s another guy who is the foreman guru , so it’d likely be his job :slight_smile: