openstack/nova
Code Issues Proposed changes
d27d8e44a3
nova/releasenotes/notes/websocket-proxy-to-host-security-c3eca0647b0cbc02.yaml
Daniel Berrange 7c593dc505 doc: Document TLS security setup for noVNC proxy 
The nova noVNC proxy server has gained the ability to use the VeNCrypt
authentication scheme to secure network communications with the compute
node VNC servers.  This documents how to configure the QEMU/KVM compute
nodes and the noVNC proxy server nodes.

Change-Id: If3cea87568efff0874cd8851cabc6770812c545b
Blueprint: websocket-proxy-to-host-security
Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
2018-01-22 14:48:51 +00:00

42 lines
1.9 KiB
YAML
Raw Blame History

---
features:
- |
Added a number of new configuration options to the ``[vnc]`` group, which
together allow for the configuration of authentication used between the
*nova-novncproxy* server and the compute node VNC server.
- ``auth_schemes``
- ``vencrypt_client_key``
- ``vencrypt_client_cert``
- ``vencrypt_ca_certs``
For more information, refer to `the documentation`__.
__ https://docs.openstack.org/nova/latest/admin/remote-console-access.html
- |
The *nova-novncproxy* server can now be configured to do a security
negotiation with the compute node VNC server. If the VeNCrypt auth scheme
is enabled, this establishes a TLS session to provide encryption of all
data. The proxy will validate the x509 certs issued by the remote server to
ensure it is connecting to a valid compute node. The proxy can also send
its own x509 cert to allow the compute node to validate that the connection
comes from the official proxy server.
To make use of VeNCrypt, configuration steps are required for both the
`nova-novncproxy` service and libvirt on all the compute nodes. The
``/etc/libvirt/qemu.conf`` file should be modified to set the ``vnc_tls``
option to ``1``, and optionally the ``vnc_tls_x509_verify`` option to
``1``. Certificates must also be deployed on the compute node.
The ``nova.conf`` file should have the ``auth_schemes`` parameter in the
``vnc`` group set. If there are a mix of compute nodes, some with VeNCrypt
enabled and others with it disabled, then the ``auth_schemes``
configuration option should be set to ``['vencrypt', 'none']``.
Once all compute nodes have VeNCrypt enabled, the ``auth_schemes``
parameter can be set to just ``['vencrypt']``.
For more information, refer to `the documentation`__.
__ https://docs.openstack.org/nova/latest/admin/remote-console-access.html
View Git Blame Copy Permalink