openstack-manuals/doc/security-guide/ch026_compute.xml
Chandan kumar 77ec2d6e4c Added complete Doc Convention to Security Guide.
Change-Id: I8310331f48399310d1a5d7af88bd91fba20ea89c
Partial-Bug: #1121866
2013-12-06 12:01:57 +05:30

78 lines
5.4 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch026_compute"><?dbhtml stop-chunking?>
<title>Compute</title>
<para>The Compute Service (Nova) is one of the more complex OpenStack services.  It runs in many locations throughout the cloud and interacts with a variety of internal services.  For this reason, most of our recommendations regarding best practices for Compute Service configuration are distributed throughout this book. We provide specific details in the sections on Management, API Endpoints, Messaging, and Database.</para>
<section xml:id="ch026_compute-idp45072">
<title>Virtual Console Selection</title>
<para>One decision a cloud architect will need to make regarding Compute Service configuration is whether to use VNC or SPICE. Below we provide some details on the differences between these options.</para>
<section xml:id="ch026_compute-idp46336">
<title>Virtual Network Computer (VNC)</title>
<para>OpenStack can be configured to provide remote desktop console access to instances for tenants and/or administrators using the Virtual Network Computer (VNC) protocol.  </para>
</section>
<section xml:id="ch026_compute-idp48352">
<title>Capabilities</title>
<itemizedlist><listitem>
<para>The OpenStack Dashboard (Horizon) can provide a VNC console for instances directly on the web page using the HTML5 noVNC client.  This requires the <systemitem class="service">nova-novncproxy</systemitem> service to bridge from the public network to the management network.</para>
</listitem>
<listitem>
<para>The nova command line utility can return a URL for the VNC console for access by the nova Java VNC client. This requires the nova-xvpvncproxy service to bridge from the public network to the management network.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp51760">
<title>Security Considerations</title>
<itemizedlist><listitem>
<para>The <systemitem class="service">nova-novncproxy</systemitem>and nova-xvpvncproxy services by default open public-facing ports that are token authenticated.</para>
</listitem>
<listitem>
<para>By default, the remote desktop traffic is not encrypted. Havana is expected to have VNC connections secured by Kerberos.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp54592">
<title>References</title>
<para><link xlink:href="http://blog.malchuk.ru/2013/05/21/47">Secure Connections to VNC ports</link></para>
</section>
<section xml:id="ch026_compute-idp55824">
<title>Simple Protocol for Independent Computing Environments (SPICE)</title>
<para>As an alternative to VNC, OpenStack provides remote desktop access to guest virtual machines using the Simple Protocol for Independent Computing Environments (SPICE) protocol.</para>
<section xml:id="ch026_compute-idp57120">
<title>Capabilities</title>
<itemizedlist><listitem>
<para>SPICE is supported by the OpenStack Dashboard (Horizon) directly on the instance web page.  This requires the nova-spicehtml5proxy service.</para>
</listitem>
<listitem>
<para>The nova command line utility can return a URL for SPICE console for access by a SPICE-html client.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idm4576">
<title>Limitations</title>
<itemizedlist><listitem>
<para>Although SPICE has many advantages over VNC, the spice-html5 browser integration currently doesn't really allow admins to take advantage of any of the benefits. To take advantage of SPICE features like multi-monitor, USB pass through, etc. admins are recommended to use a standalone SPICE client within the Management Network.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp83168">
<title>Security Considerations</title>
<itemizedlist><listitem>
<para>The nova-spicehtml5proxy service by default opens public-facing ports that are token authenticated.</para>
</listitem>
<listitem>
<para>The functionality and integration are still evolving. We will access the features in the next release and make recommendations.</para>
</listitem>
<listitem>
<para>As is the case for VNC, at this time we recommend using SPICE from the management network in addition to limiting use to few individuals.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp86912">
<title>References</title>
<para><link xlink:href="http://docs.openstack.org/trunk/config-reference/content/spice-console.html">SPICE Console</link></para>
<para><link xlink:href="https://bugzilla.redhat.com/show_bug.cgi?id=913607">Red Hat bug 913607</link></para>
<para><link xlink:href="http://openstack.redhat.com/forum/discussion/67/resolved-spice-support-in-rdo-grizzly/p1">SPICE support in RDO Grizzly</link></para>
</section>
</section>
</section>
</chapter>