openstack/openstack-manuals
Code Issues Proposed changes
Files
0e5513f6a334873e1c423db548e9dbe54320ec04
openstack-manuals/doc/security-guide/ch026_compute.xml
Andreas Jaeger 2dad59797d Security guide editorial edits 
No textual changes, just markup and style, mainly:
* Add missing <filename> markup
* Change capitalization
* Wrap some overly long lines
* Remove extra whitespace before ":"
* Replace "--" with emdash

Change-Id: I9126a91c5d1f78feacb10c639b26f37fc6815a99
Partial-Bug: #1217503
2014-05-09 15:16:00 +02:00

114 lines
6.1 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://docbook.org/ns/docbook"
version="5.0"
xml:id="ch026_compute">
<?dbhtml stop-chunking?>
<title>Compute</title>
<para>The Compute service (nova) is one of the more complex OpenStack services. It runs in many locations throughout the cloud and interacts with a variety of internal services. For this reason, most of our recommendations regarding best practices for Compute service configuration are distributed throughout this book. We provide specific details in the sections on Management, API Endpoints, Messaging, and Database.</para>
<section xml:id="ch026_compute-idp45072">
<title>Virtual console selection</title>
<para>One decision a cloud architect will need to make regarding
Compute service configuration is whether to use <glossterm
baseform="Virtual Network Computing (VNC)">VNC</glossterm> or
<glossterm>SPICE</glossterm>. Below we provide some details on
the differences between these options.</para>
<section xml:id="ch026_compute-idp46336">
<title>Virtual Network Computer (VNC)</title>
<para>OpenStack can be configured to provide remote desktop console access to instances for tenants and/or administrators using the Virtual Network Computer (VNC) protocol.</para>
</section>
<section xml:id="ch026_compute-idp48352">
<title>Capabilities</title>
<itemizedlist><listitem>
<para>
The OpenStack dashboard (horizon) can provide a VNC
console for instances directly on the web page using the
HTML5 noVNC client. This requires the <systemitem
class="service">nova-novncproxy</systemitem> service to
bridge from the public network to the management
network.
</para>
</listitem>
<listitem>
<para>The <command>nova</command> command-line utility can
return a URL for the VNC console for access by the
<systemitem class="service">nova</systemitem> Java VNC
client. This requires the <systemitem
class="service">nova-xvpvncproxy</systemitem> service to
bridge from the public network to the management
network.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp51760">
<title>Security considerations</title>
<itemizedlist><listitem>
<para>The <systemitem
class="service">nova-novncproxy</systemitem> and
<systemitem class="service">nova-xvpvncproxy</systemitem>
services by default open public-facing ports that are
token authenticated.</para>
</listitem>
<listitem>
<!-- TODO - check if havana had this feature -->
<para>By default, the remote desktop traffic is not encrypted. Havana is expected to have VNC connections secured by Kerberos.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp54592">
<title>References</title>
<para><link xlink:href="http://blog.malchuk.ru/2013/05/21/47">Secure Connections to VNC ports</link></para>
</section>
<section xml:id="ch026_compute-idp55824">
<title>Simple Protocol for Independent Computing Environments (SPICE)</title>
<para>As an alternative to VNC, OpenStack provides remote desktop access to guest virtual machines using the Simple Protocol for Independent Computing Environments (SPICE) protocol.</para>
<section xml:id="ch026_compute-idp57120">
<title>Capabilities</title>
<itemizedlist><listitem>
<para>
SPICE is supported by the OpenStack dashboard
(horizon) directly on the instance web page. This
requires the <systemitem
class="service">nova-spicehtml5proxy</systemitem>
service.
</para>
</listitem>
<listitem>
<para>The nova command-line utility can return a URL for SPICE console for access by a SPICE-html client.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idm4576">
<title>Limitations</title>
<itemizedlist><listitem>
<para>Although SPICE has many advantages over VNC, the spice-html5 browser integration currently doesn't really allow admins to take advantage of any of the benefits. To take advantage of SPICE features like multi-monitor, USB pass through, etc. admins are recommended to use a standalone SPICE client within the Management Network.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp83168">
<title>Security considerations</title>
<itemizedlist><listitem>
<para>The <systemitem
class="service">nova-spicehtml5proxy</systemitem>
service by default opens public-facing ports that are
token authenticated.</para>
</listitem>
<listitem>
<para>The functionality and integration are still evolving. We will access the features in the next release and make recommendations.</para>
</listitem>
<listitem>
<para>As is the case for VNC, at this time we recommend using SPICE from the management network in addition to limiting use to few individuals.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp86912">
<title>References</title>
<para><link xlink:href="http://docs.openstack.org/trunk/config-reference/content/spice-console.html">SPICE Console</link></para>
<para><link xlink:href="https://bugzilla.redhat.com/show_bug.cgi?id=913607">Red Hat bug 913607</link></para>
<para><link xlink:href="http://openstack.redhat.com/forum/discussion/67/resolved-spice-support-in-rdo-grizzly/p1">SPICE support in RDO Grizzly</link></para>
</section>
</section>
</section>
</chapter>
View Git Blame Copy Permalink