Bug 1025429 (encrypt_vnc_traffic)

Summary: RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on
Product: Red Hat OpenStack Reporter: Vladan Popovic <vpopovic>
Component: openstack-novaAssignee: Stephen Finucane <stephenfin>
Status: CLOSED ERRATA QA Contact: Archit Modi <amodi>
Severity: high Docs Contact:
Priority: low    
Version: unspecifiedCC: amodi, berrange, brault, eglynn, jhakimra, josorior, jschluet, lyarwood, nlevinki, owalsh, pneedle, rhos-integ, sclewis, sgordon, srevivo, stephenfin
Target Milestone: Upstream M3Keywords: FutureFeature, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/nova/+spec/websocket-proxy-to-host-security
Whiteboard: upstream_milestone_none upstream_definition_approved upstream_status_needs-code-review
Fixed In Version: openstack-nova-17.0.1-0.20180302144923.9ace6ed.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1534484 1539408 (view as bug list) Environment:
Last Closed: 2018-06-27 13:26:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1554444    
Bug Blocks: 1419948, 1442136, 1077198, 1534484, 1539408    

Description Vladan Popovic 2013-10-31 16:35:01 UTC
Description of problem:

If we break the novnc connections into three parts as below:

 client browser (1) -----> novnc proxy (2)  ------> compute node (3)

Then the present status is: connection from browser to proxy is encrypted, while the nonvnc proxy(on controller nodes) to compute nodes are NOT.

We would like the novnc traffic from controller node to compute nodes be encrypted as wel.

Comment 4 Stephen Gordon 2014-01-22 15:42:14 UTC
I think we need to raise a BP for this upstream to get things moving.

Comment 6 Solly Ross 2014-10-23 16:02:14 UTC
*** Bug 865343 has been marked as a duplicate of this bug. ***

Comment 7 Solly Ross 2014-10-23 19:50:25 UTC
This was accepted for Juno but the code didn't get merged due to review bandwidth.

The blueprint has been re-introduced and should make it in for Kilo.

Comment 8 Solly Ross 2014-11-11 20:50:51 UTC
The blueprint was accepted, and code has been posted to upstream Gerrit.

Comment 10 Eoghan Glynn 2015-03-03 17:25:49 UTC
The upstream patch:

  https://review.openstack.org/115483

has missed the Kilo window and been deferred to Liberty-1, bumping this BZ appropriately.

Comment 16 Daniel Berrangé 2015-09-08 15:13:08 UTC
This patch missed Liberty too, but I will take it up again for Mitaka. The code is basically done, so hopefully it is a exercise in rubber stamping the code review.

Comment 17 Stephen Gordon 2016-02-02 20:22:25 UTC
(In reply to Daniel Berrange from comment #16)
> This patch missed Liberty too, but I will take it up again for Mitaka. The
> code is basically done, so hopefully it is a exercise in rubber stamping the
> code review.

Unfortunately it looks like we missed Mitaka (not for want of trying), moving to next release.

Comment 19 Stephen Gordon 2016-07-07 16:06:07 UTC
Missed Newton freeze, moving out to Ocata.

Comment 27 Stephen Finucane 2017-09-01 08:38:31 UTC
*** Bug 1484394 has been marked as a duplicate of this bug. ***

Comment 29 Stephen Finucane 2017-10-06 13:54:43 UTC
*** Bug 1449307 has been marked as a duplicate of this bug. ***

Comment 30 Stephen Finucane 2017-10-06 13:54:51 UTC
*** Bug 1086964 has been marked as a duplicate of this bug. ***

Comment 33 Stephen Finucane 2018-01-10 16:39:28 UTC
Reviews available here https://review.openstack.org/#/q/branch:master+topic:bp/websocket-proxy-to-host-security

Comment 35 Stephen Finucane 2018-03-15 15:55:52 UTC
Sorry for the delay.

Comment 37 Stephen Finucane 2018-03-15 16:03:18 UTC
The various patches, all of which have now landed, can be viewed here:

https://review.openstack.org/#/q/(status:merged+OR+status:open)+branch:master+topic:bp/websocket-proxy-to-host-security

Comment 41 errata-xmlrpc 2018-06-27 13:26:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086