OpenStack Compute (nova)

Encrypt VNC Traffic from Proxy Host to Compute Node

Bug #1248742 reported by Solly Ross on 2013-11-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

Description of problem:

If we break the novnc connections into three parts as below:

client browser (1) -----> novnc proxy (2) ------> compute node (3)

Then the present status is: connection from browser to proxy is encrypted, while the nonvnc proxy(on controller nodes) to compute nodes are NOT.

We would like the novnc traffic from controller node to compute nodes be encrypted as wel.

Tags:

Russell Bryant (russellb) on 2013-11-18

tags:	added: libvirt novncproxy
Changed in nova:
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

Eric Brown (ericwb) wrote on 2014-01-13:

I believe the free and open source versions of VNC servers do not natively support encryption of communication. But the common setup is to tunnel VNC over an SSH connection. So maybe paramiko could be used in some way.

Revision history for this message

Solly Ross (sross-7) wrote on 2014-01-22:

@ericwb: actually, that's not true. Some (if not many) support various forms of encryption. In fact, libvirt's built-in VNC server supports SASL, and I've actually implemented code for using Kerberos (via SASL) to encrypt the connection. SPNEGO is used to obtain credentials from the user, and then s4u2 proxy is used by the novnc proxy to obtain a ticket, which is then used to perform encryption between the proxy and compute node. It's around here somewhere...

Allison Randal (allison) on 2014-02-26

tags:

added: console
removed: novncproxy

Solly Ross (sross-7) on 2014-03-03

Changed in nova:
assignee:	nobody → Solly Ross (sross-7)

OpenStack Infra (hudson-openstack) on 2014-03-03

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

Solly Ross (sross-7) wrote on 2014-03-06:

For some reason, the commit hook isn't working. Here's the review: https://review.openstack.org/#/c/77266/

Revision history for this message

Daniel Berrange (berrange) wrote on 2014-04-09:

This isn't really a bug, it is a major feature request, so it needs to go through the blueprint process, not bug process.

Revision history for this message

Sean Dague (sdague) wrote on 2014-09-17:

Put as opinion as it's not a bug

Changed in nova:
status:	In Progress → Opinion
assignee:	Solly Ross (sross-7) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.