On 10/30/2013 12:39 PM, Thomas Woerner wrote:
Hello John,
On 10/30/2013 12:45 AM, John Call wrote:
Given the popularity of virtualization these days, I'd like to see a SPICE service definition file come "out-of-the-box" with firewalld. Is this something that could be approached at this level, or would should the request be directed to the libvirt/qemu team? For example, I think the definition below should be shipped as predefined/standard service.
<?xml version="1.0" encoding="utf-8"?>
<service> <short>Simple Protocol for Independent Computing Environments (SPICE)</short> <description>SPICE is an adaptive remote rendering protocol for virtual environments. The range of allowed ports will allow up to 256 concurrent remote console sessions to running virtual machines.</description> <port protocol="tcp" port="5900-6411"/>
This is really a huge port range. There are lots of ports in this range that are not SPICE specific.
Can you provide a list of ports that is used only for SPICE?
I think the idea is that the spice service for each virtual guest will listen on a different port, starting at port 5900 (which is ":0" for spice or vnc) and increasing by one for each new guest; his range allows for 512 simultaneous guests. But as I pointed out in my reply to his original message, such a range of open ports is unnecessary, and would be unused by libvirt and its consumers, which follow a much more secure and scalable method of providing remote access to multiple guests.