-
Notifications
You must be signed in to change notification settings - Fork 0
Firewall configure
In the product environment, we should care security to set up a firewall. It's a normal concern for kimchi. We should set up some rules on kimchi host, in order the user can access it. For IP addresses, we should allow all IP can access kimchi host. For tcp and UDP port, we should allow the HTTP 8000 port, HTTPS 8001 port, noVNC and spice random port, console port, and federation Multicast ports are accessable. It is possible that the Kimchi is started at different ports other than the default ports 8000, 8001, that requires the firewall configuration scripts to know the Kimchi's port configuration. Also the dynamically assigned port to noVNC and spice is also a challenge for live firewall configuration.
a script to checkout all the ports that kimchi uses are allowed to access when deploy kimchi.
If not, then configure Firewall
proposal:
1. websocket proxying directly from the cherrypy server on its given port
Anthony proposed an idea to support websocket proxying directly from the cherrypy server on its given port. The noVNC code would be directed to a URL such as: ws://:8000/vms/vm-1/vnc. Cherrypy would switch to a websockets handler to service connections at this URL.
https://github.com/kimchi-project/kimchi/issues/22
2. Use novnc multi-target support
it can be fixed by token.
more info: https://github.com/kimchi-project/kimchi/issues/90