openstack/openstack-manuals
Code Issues Proposed changes
ee1c854256
openstack-manuals/doc/security-guide/ch026_compute.xml
Tom Fifield e4aac82b07 Remove old references in prep for Icehouse 
A standard pre-release patch, looking for any obsolete text to remove,
and references to newly unsupported releases to remove.

Feel free to update the patch if you find other things.

Review request: this patch touches many files in a small way.
Please try and focus on the small changes, and not the rest of the
file ... since many of them do need an edit  ;)

Change-Id: I383c51acf149bb6553ddfd33cad382f5dd15fe62
2014-04-11 08:13:54 -05:00

89 lines
5.7 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch026_compute"><?dbhtml stop-chunking?>
<title>Compute</title>
<para>The Compute service (nova) is one of the more complex OpenStack services.  It runs in many locations throughout the cloud and interacts with a variety of internal services.  For this reason, most of our recommendations regarding best practices for Compute service configuration are distributed throughout this book. We provide specific details in the sections on Management, API Endpoints, Messaging, and Database.</para>
<section xml:id="ch026_compute-idp45072">
<title>Virtual Console Selection</title>
<para>One decision a cloud architect will need to make regarding
Compute service configuration is whether to use <glossterm
baseform="Virtual Network Computing (VNC)">VNC</glossterm> or
<glossterm>SPICE</glossterm>. Below we provide some details on
the differences between these options.</para>
<section xml:id="ch026_compute-idp46336">
<title>Virtual Network Computer (VNC)</title>
<para>OpenStack can be configured to provide remote desktop console access to instances for tenants and/or administrators using the Virtual Network Computer (VNC) protocol.  </para>
</section>
<section xml:id="ch026_compute-idp48352">
<title>Capabilities</title>
<itemizedlist><listitem>
<para>The OpenStack Dashboard (Horizon) can provide a VNC console for instances directly on the web page using the HTML5 noVNC client.  This requires the <systemitem class="service">nova-novncproxy</systemitem> service to bridge from the public network to the management network.</para>
</listitem>
<listitem>
<para>The <command>nova</command> command-line utility can
return a URL for the VNC console for access by the
<systemitem class="service">nova</systemitem> Java VNC
client. This requires the <systemitem
class="service">nova-xvpvncproxy</systemitem> service to
bridge from the public network to the management
network.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp51760">
<title>Security Considerations</title>
<itemizedlist><listitem>
<para>The <systemitem class="service">nova-novncproxy</systemitem>and nova-xvpvncproxy services by default open public-facing ports that are token authenticated.</para>
</listitem>
<listitem>
<!-- TODO - check if havana had this feature -->
<para>By default, the remote desktop traffic is not encrypted. Havana is expected to have VNC connections secured by Kerberos.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp54592">
<title>References</title>
<para><link xlink:href="http://blog.malchuk.ru/2013/05/21/47">Secure Connections to VNC ports</link></para>
</section>
<section xml:id="ch026_compute-idp55824">
<title>Simple Protocol for Independent Computing Environments (SPICE)</title>
<para>As an alternative to VNC, OpenStack provides remote desktop access to guest virtual machines using the Simple Protocol for Independent Computing Environments (SPICE) protocol.</para>
<section xml:id="ch026_compute-idp57120">
<title>Capabilities</title>
<itemizedlist><listitem>
<para>SPICE is supported by the OpenStack Dashboard (Horizon) directly on the instance web page.  This requires the nova-spicehtml5proxy service.</para>
</listitem>
<listitem>
<para>The nova command-line utility can return a URL for SPICE console for access by a SPICE-html client.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idm4576">
<title>Limitations</title>
<itemizedlist><listitem>
<para>Although SPICE has many advantages over VNC, the spice-html5 browser integration currently doesn't really allow admins to take advantage of any of the benefits. To take advantage of SPICE features like multi-monitor, USB pass through, etc. admins are recommended to use a standalone SPICE client within the Management Network.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp83168">
<title>Security Considerations</title>
<itemizedlist><listitem>
<para>The nova-spicehtml5proxy service by default opens public-facing ports that are token authenticated.</para>
</listitem>
<listitem>
<para>The functionality and integration are still evolving. We will access the features in the next release and make recommendations.</para>
</listitem>
<listitem>
<para>As is the case for VNC, at this time we recommend using SPICE from the management network in addition to limiting use to few individuals.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="ch026_compute-idp86912">
<title>References</title>
<para><link xlink:href="http://docs.openstack.org/trunk/config-reference/content/spice-console.html">SPICE Console</link></para>
<para><link xlink:href="https://bugzilla.redhat.com/show_bug.cgi?id=913607">Red Hat bug 913607</link></para>
<para><link xlink:href="http://openstack.redhat.com/forum/discussion/67/resolved-spice-support-in-rdo-grizzly/p1">SPICE support in RDO Grizzly</link></para>
</section>
</section>
</section>
</chapter>
View Git Blame Copy Permalink