On 03/22/2017 12:11 PM, Cole Robinson wrote:
On 03/22/2017 10:39 AM, Leon Goldberg wrote:
> Hey,
>
> I've been wondering about the extent libvirt makes use of firewalld.
> I'm looking to use firewalld exclusively and wonder about the ports
> libvirt takes care of for me via firewalld (e.g. will console/vnc
> ports, qemu migration ports, etc, will be handled for me?)
>
> I have only done a little bit of testing, but it seems like I can't
> connect to a vm via vnc without explicitly opening ports beforehand.
>
Libvirt doesn't do stuff like that automatically. It's usage of firewalld and
firewalls in general is for 1) virtual networks (for example the 'default'
network that sets up NAT equivalent for your VMs) and 2) nwfilter config (
https://libvirt.org/formatnwfilter.html )
Yeah, it would be problematic for libvirt to try and automatically add
rules to allow incoming connections to VNC ports with the current
information it has available. It's likely that even if you did want to
allow it, you might want it limited to only come from certain addresses,
for example. There might be some reasonable way to do it by adding a
"firewallZone" attribute that could integrate with firewalld's concept
of zones, but that would require somebody stepping up to advocate for it
and do the work :-)
A more practical solution to your problem with the existing versions of
tools may be to hardcode a port for the VNC listener (since you're
already in there hardcoding an IP address), then add a rule to firewalld
directly for that hardcoded port.