On 10/30/2013 12:39 PM, Thomas Woerner wrote:
Hello John,
On 10/30/2013 12:45 AM, John Call wrote:
> Given the popularity of virtualization these days, I'd like to see a
> SPICE service definition file come "out-of-the-box" with firewalld. Is
> this something that could be approached at this level, or would should
> the request be directed to the libvirt/qemu team? For example, I think
> the definition below should be shipped as predefined/standard service.
>
> <?xml version="1.0" encoding="utf-8"?>
> <service>
> <short>Simple Protocol for Independent Computing Environments
> (SPICE)</short>
> <description>SPICE is an adaptive remote rendering protocol for
> virtual environments. The range of allowed ports will allow up to 256
> concurrent remote console sessions to running virtual
> machines.</description>
> <port protocol="tcp" port="5900-6411"/>
This is really a huge port range. There are lots of ports in this
range that are not SPICE specific.
Can you provide a list of ports that is used only for SPICE?
I think the idea is that the spice service for each virtual guest will
listen on a different port, starting at port 5900 (which is ":0" for
spice or vnc) and increasing by one for each new guest; his range allows
for 512 simultaneous guests. But as I pointed out in my reply to his
original message, such a range of open ports is unnecessary, and would
be unused by libvirt and its consumers, which follow a much more secure
and scalable method of providing remote access to multiple guests.