On 03/26/2015 04:23 PM, Jeremy Stanley wrote: > On 2015-03-26 14:29:03 -0400 (-0400), Lars Kellogg-Stedman wrote: > [...] >> The solution, of course, is to make sure that the value of >> novncproxy_base_url is set explicitly where the nova-novncproxy >> service is running. This is a bit of a hack, since the service >> *really* only cares about the protocol portion of the URL, >> suggesting that maybe a new configuration option would have been a >> less intrusive solution. > [...] > > Thanks for the heads up. The developers working to backport security > fixes to stable branches try to come up with ways to have them > automatically applicable without configuration changes on the part > of the deployers consuming them. Sometimes it's possible, sometimes > it's not, and sometimes they think it is but turn out in retrospect > to have introduced an unintended behavior change. Unfortunately I > think that last possibility is what happened for this bug[1]. > > It's worth bringing this to the attention of the Nova developers who > implemented the original fix to see if there's a better stable > solution which achieves the goal of protecting deployments where > operators aren't likely to update their configuration while still > maintaining consistent behavior. To that end, I'm Cc'ing the > openstack-dev list, setting MFT and tagging the subject accordingly. > > [1] https://launchpad.net/bugs/1409142 >
Thanks Lars for bringing this up! I've submitted a documentation change to document that new behavior[2] and I'd like to amend the release note[3] with this: There is a known issue with the new websocket origin access control (OSSA 2015-005): ValidationError will prevent VNC and SPICE connection if base_urls are not properly configured. The novncproxy_base_url and html5proxy_base_url now need to match the TLS settings of the connection origin and needs to be set explicitly where the nova proxy service is running. Feedback are most welcome... [2]: https://review.openstack.org/169515 [3]: https://wiki.openstack.org/wiki/ReleaseNotes/2014.1.4
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
