OpenStack Nova Cloud Controller Charm

[RFE] support nova proxy <-> hypervisor VNC/SPICE traffic encryption

Bug #1759285 reported by Dmitrii Shcherbakov on 2018-03-27

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Nova Cloud Controller Charm	Triaged	Wishlist	Unassigned

Bug Description

Currently if TLS termination is enabled for API it only provides security for client <-> proxy connectivity.

Some improvements for that were implemented for Queens but require configuration.

https://specs.openstack.org/openstack/nova-specs/specs/ocata/approved/websocket-proxy-to-host-security.html
https://blueprints.launchpad.net/nova/+spec/websocket-proxy-to-host-security

Tags:

Alex Kavanagh (ajkavanagh) on 2018-05-16

Changed in charm-nova-cloud-controller:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Trent Lloyd (lathiat) wrote on 2018-11-09:

When implementing this feature, the optional support for AUTHENTICATION using x509 client certificates should also be implemented.

Right now, the VNC port is both unencrypted and unauthenticated - anyone with network access to the compute node can connect to the VNC port and get console access. Even with encryption on, they can still do that just with an encrypted connection.

Authorization should be configured to ensure that only an authorized nova-cloud-controller novncproxy can connect to the nova-compute VNC port.

Alvaro Uria (aluria) on 2018-11-09

tags:

added: canonical-bootstack

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.