08bdcdb5b6
The console proxies (VNC, SPICE, etc) currently don't allow the allowed TLS ciphers and protocol versions to be configurable. This results in the defaults being used from the underlying system, which may not be secure enough for many deployments. This patch allows for the ciphers and minimum SSL/TLS protocol version for each console proxy to be configured in nova's config. We utilize websockify underneath our console proxies, which added support for allowed ciphers and the SSL/TLS version to be configurable as of version 0.9.0. This change updates the lower constraint for this dependency. Closes-Bug: #1842149 Related-Bug: #1771773 Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5
79 lines
2.0 KiB
Python
79 lines
2.0 KiB
Python
# Copyright (c) 2016 OpenStack Foundation
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_config import cfg
|
|
|
|
novnc_opts = [
|
|
cfg.StrOpt('record',
|
|
help="""
|
|
Filename that will be used for storing websocket frames received
|
|
and sent by a proxy service (like VNC, spice, serial) running on this host.
|
|
If this is not set, no recording will be done.
|
|
"""),
|
|
cfg.BoolOpt('daemon',
|
|
default=False,
|
|
help="Run as a background process."),
|
|
cfg.BoolOpt('ssl_only',
|
|
default=False,
|
|
help="""
|
|
Disallow non-encrypted connections.
|
|
|
|
Related options:
|
|
|
|
* cert
|
|
* key
|
|
"""),
|
|
cfg.BoolOpt('source_is_ipv6',
|
|
default=False,
|
|
help="Set to True if source host is addressed with IPv6."),
|
|
cfg.StrOpt('cert',
|
|
default='self.pem',
|
|
help="""
|
|
Path to SSL certificate file.
|
|
|
|
Related options:
|
|
|
|
* key
|
|
* ssl_only
|
|
* [console] ssl_ciphers
|
|
* [console] ssl_minimum_version
|
|
"""),
|
|
cfg.StrOpt('key',
|
|
help="""
|
|
SSL key file (if separate from cert).
|
|
|
|
Related options:
|
|
|
|
* cert
|
|
"""),
|
|
cfg.StrOpt('web',
|
|
default='/usr/share/spice-html5',
|
|
help="""
|
|
Path to directory with content which will be served by a web server.
|
|
"""),
|
|
]
|
|
|
|
|
|
def register_opts(conf):
|
|
conf.register_opts(novnc_opts)
|
|
|
|
|
|
def register_cli_opts(conf):
|
|
conf.register_cli_opts(novnc_opts)
|
|
|
|
|
|
def list_opts():
|
|
return {'DEFAULT': novnc_opts}
|