Given the popularity of virtualization these days, I'd like to see a SPICE service definition file come "out-of-the-box" with firewalld. Is this something that could be approached at this level, or would should the request be directed to the libvirt/qemu team? For example, I think the definition below should be shipped as predefined/standard service.
<?xml version="1.0" encoding="utf-8"?> <service> <short>Simple Protocol for Independent Computing Environments (SPICE)</short> <description>SPICE is an adaptive remote rendering protocol for virtual environments. The range of allowed ports will allow up to 256 concurrent remote console sessions to running virtual machines.</description> <port protocol="tcp" port="5900-6411"/> </service>
Thanks for your consideration, John
Hello John,
On 10/30/2013 12:45 AM, John Call wrote:
Given the popularity of virtualization these days, I'd like to see a SPICE service definition file come "out-of-the-box" with firewalld. Is this something that could be approached at this level, or would should the request be directed to the libvirt/qemu team? For example, I think the definition below should be shipped as predefined/standard service.
<?xml version="1.0" encoding="utf-8"?>
<service> <short>Simple Protocol for Independent Computing Environments (SPICE)</short> <description>SPICE is an adaptive remote rendering protocol for virtual environments. The range of allowed ports will allow up to 256 concurrent remote console sessions to running virtual machines.</description> <port protocol="tcp" port="5900-6411"/>
This is really a huge port range. There are lots of ports in this range that are not SPICE specific.
Can you provide a list of ports that is used only for SPICE?
</service>
Thanks for your consideration, John
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
On 10/30/2013 12:39 PM, Thomas Woerner wrote:
Hello John,
On 10/30/2013 12:45 AM, John Call wrote:
Given the popularity of virtualization these days, I'd like to see a SPICE service definition file come "out-of-the-box" with firewalld. Is this something that could be approached at this level, or would should the request be directed to the libvirt/qemu team? For example, I think the definition below should be shipped as predefined/standard service.
<?xml version="1.0" encoding="utf-8"?>
<service> <short>Simple Protocol for Independent Computing Environments (SPICE)</short> <description>SPICE is an adaptive remote rendering protocol for virtual environments. The range of allowed ports will allow up to 256 concurrent remote console sessions to running virtual machines.</description> <port protocol="tcp" port="5900-6411"/>
This is really a huge port range. There are lots of ports in this range that are not SPICE specific.
Can you provide a list of ports that is used only for SPICE?
I think the idea is that the spice service for each virtual guest will listen on a different port, starting at port 5900 (which is ":0" for spice or vnc) and increasing by one for each new guest; his range allows for 512 simultaneous guests. But as I pointed out in my reply to his original message, such a range of open ports is unnecessary, and would be unused by libvirt and its consumers, which follow a much more secure and scalable method of providing remote access to multiple guests.
Thomas,
I based my large range of ports on a recent bug filed at https://bugzilla.redhat.com/show_bug.cgi?id=983088#c9
I am reviewing the other emails that came from Laine Stump...
On Wed, Oct 30, 2013 at 3:39 AM, Thomas Woerner twoerner@redhat.com wrote:
Hello John,
On 10/30/2013 12:45 AM, John Call wrote:
Given the popularity of virtualization these days, I'd like to see a SPICE service definition file come "out-of-the-box" with firewalld. Is this something that could be approached at this level, or would should the request be directed to the libvirt/qemu team? For example, I think the definition below should be shipped as predefined/standard service.
<?xml version="1.0" encoding="utf-8"?>
<service> <short>Simple Protocol for Independent Computing Environments (SPICE)</short> <description>SPICE is an adaptive remote rendering protocol for virtual environments. The range of allowed ports will allow up to 256 concurrent remote console sessions to running virtual machines.</description> <port protocol="tcp" port="5900-6411"/>
This is really a huge port range. There are lots of ports in this range that are not SPICE specific.
Can you provide a list of ports that is used only for SPICE?
</service> > > Thanks for your consideration, > John > > > ______________________________**_________________ > firewalld-users mailing list > firewalld-users@lists.**fedorahosted.org<firewalld-users@lists.fedorahosted.org> > https://lists.fedorahosted.**org/mailman/listinfo/**firewalld-users<https://lists.fedorahosted.org/mailman/listinfo/firewalld-users> > > Regards, Thomas ______________________________**_________________ firewalld-users mailing list firewalld-users@lists.**fedorahosted.org<firewalld-users@lists.fedorahosted.org> https://lists.fedorahosted.**org/mailman/listinfo/**firewalld-users<https://lists.fedorahosted.org/mailman/listinfo/firewalld-users>
On 10/30/2013 01:45 AM, John Call wrote:
Given the popularity of virtualization these days, I'd like to see a SPICE service definition file come "out-of-the-box" with firewalld. Is this something that could be approached at this level, or would should the request be directed to the libvirt/qemu team? For example, I think the definition below should be shipped as predefined/standard service.
<?xml version="1.0" encoding="utf-8"?>
<service> <short>Simple Protocol for Independent Computing Environments (SPICE)</short> <description>SPICE is an adaptive remote rendering protocol for virtual environments. The range of allowed ports will allow up to 256 concurrent remote console sessions to running virtual machines.</description> <port protocol="tcp" port="5900-6411"/>
Instead of opening up lots of ports for unencrypted sessions, virtualization management libraries and applications tend to handle this by 1) setting up the virtual guests' spice/vnc sessions to only allow connection from localhost on the virtualization host, and 2) tuneling remote SPICE sessions through an ssh session (for example, virt-viewer and virt-manager, both using libvirt, do this).
In this way an arbitrary number of guests can be handled without needing to open a huge range of ports on the host (all that is needed is port 22 for ssh), and as a bonus all the sessions are secured by ssh.
firewalld-users@lists.fedorahosted.org