|Summary:||RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on|
|Product:||Red Hat OpenStack||Reporter:||Vladan Popovic <vpopovic>|
|Component:||openstack-nova||Assignee:||Stephen Finucane <stephenfin>|
|Status:||CLOSED ERRATA||QA Contact:||Archit Modi <amodi>|
|Version:||unspecified||CC:||amodi, berrange, brault, eglynn, jhakimra, josorior, jschluet, lyarwood, nlevinki, owalsh, pneedle, rhos-integ, sclewis, sgordon, srevivo, stephenfin|
|Target Milestone:||Upstream M3||Keywords:||FutureFeature, Triaged|
|Target Release:||13.0 (Queens)|
|Whiteboard:||upstream_milestone_none upstream_definition_approved upstream_status_needs-code-review|
|Fixed In Version:||openstack-nova-17.0.1-0.20180302144923.9ace6ed.el7ost||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|:||1534484 1539408 (view as bug list)||Environment:|
|Last Closed:||2018-06-27 13:26:22 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1554444|
|Bug Blocks:||1419948, 1442136, 1077198, 1534484, 1539408|
Description Vladan Popovic 2013-10-31 16:35:01 UTC
Description of problem: If we break the novnc connections into three parts as below: client browser (1) -----> novnc proxy (2) ------> compute node (3) Then the present status is: connection from browser to proxy is encrypted, while the nonvnc proxy(on controller nodes) to compute nodes are NOT. We would like the novnc traffic from controller node to compute nodes be encrypted as wel.
Comment 4 Stephen Gordon 2014-01-22 15:42:14 UTC
I think we need to raise a BP for this upstream to get things moving.
Comment 6 Solly Ross 2014-10-23 16:02:14 UTC
*** Bug 865343 has been marked as a duplicate of this bug. ***
Comment 7 Solly Ross 2014-10-23 19:50:25 UTC
This was accepted for Juno but the code didn't get merged due to review bandwidth. The blueprint has been re-introduced and should make it in for Kilo.
Comment 8 Solly Ross 2014-11-11 20:50:51 UTC
The blueprint was accepted, and code has been posted to upstream Gerrit.
Comment 10 Eoghan Glynn 2015-03-03 17:25:49 UTC
The upstream patch: https://review.openstack.org/115483 has missed the Kilo window and been deferred to Liberty-1, bumping this BZ appropriately.
Comment 16 Daniel Berrangé 2015-09-08 15:13:08 UTC
This patch missed Liberty too, but I will take it up again for Mitaka. The code is basically done, so hopefully it is a exercise in rubber stamping the code review.
Comment 17 Stephen Gordon 2016-02-02 20:22:25 UTC
(In reply to Daniel Berrange from comment #16) > This patch missed Liberty too, but I will take it up again for Mitaka. The > code is basically done, so hopefully it is a exercise in rubber stamping the > code review. Unfortunately it looks like we missed Mitaka (not for want of trying), moving to next release.
Comment 19 Stephen Gordon 2016-07-07 16:06:07 UTC
Missed Newton freeze, moving out to Ocata.
Comment 27 Stephen Finucane 2017-09-01 08:38:31 UTC
*** Bug 1484394 has been marked as a duplicate of this bug. ***
Comment 29 Stephen Finucane 2017-10-06 13:54:43 UTC
*** Bug 1449307 has been marked as a duplicate of this bug. ***
Comment 30 Stephen Finucane 2017-10-06 13:54:51 UTC
*** Bug 1086964 has been marked as a duplicate of this bug. ***
Comment 33 Stephen Finucane 2018-01-10 16:39:28 UTC
Reviews available here https://review.openstack.org/#/q/branch:master+topic:bp/websocket-proxy-to-host-security
Comment 35 Stephen Finucane 2018-03-15 15:55:52 UTC
Sorry for the delay.
Comment 37 Stephen Finucane 2018-03-15 16:03:18 UTC
The various patches, all of which have now landed, can be viewed here: https://review.openstack.org/#/q/(status:merged+OR+status:open)+branch:master+topic:bp/websocket-proxy-to-host-security
Comment 41 errata-xmlrpc 2018-06-27 13:26:22 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086