Bug 1597085

Summary: [RFE] End-to-end VNC encryption for RHV VMs
Product: Red Hat Enterprise Virtualization Manager Reporter: Marina Kalinin <mkalinin>
Component: ovirt-engineAssignee: Tomasz BaraƄski <tbaransk>
Status: CLOSED ERRATA QA Contact: Liran Rotenberg <lrotenbe>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.2.4CC: amashah, ayadav, cpippin, emarcus, lsurette, mavital, michal.skrivanek, mkalinin, mtessun, rbarry, Rhev-m-bugs, srevivo, tbaransk
Target Milestone: ovirt-4.3.3Keywords: FutureFeature
Target Release: 4.3.0Flags: lrotenbe: testing_plan_complete+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
A new option has been added to the Administration Portal under Compute > Clusters in the Console configuration screen: Enable VNC Encryption
 Story Points: ---
Clone Of:
: 1633585 (view as bug list) Environment:
Last Closed: 2019-05-08 12:37:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1520566, 1633585, 1640357    

Description Marina Kalinin 2018-07-02 03:09:32 UTC 
RHV should have end to end VNC encryption for accessing its VMs via VNC.

It is possible to enable tls in qemu vnc server[1], but RHV does not use it and does not expose this option to the user via RHV portals.

How this request should be implemented:
- Provide "Enable TLS" option for VM console when VNC is chosen.
- If "Enable TLS" is selected, once VNC connection is established, it should be encrypted end to end, from client to the host.


[1] 
https://wiki.libvirt.org/page/VNCTLSSetup
Comment 11 Ryan Barry 2019-01-21 14:54:08 UTC 
Re-targeting to 4.3.1 since it is missing a patch, an acked blocker flag, or both
Comment 13 RHV bug bot 2019-02-21 17:26:11 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{'rhevm-4.3-ga': '?'}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{'rhevm-4.3-ga': '?'}', ]

For more info please contact: rhv-devops
Comment 20 Liran Rotenberg 2019-03-12 08:24:42 UTC 
Verified on:
ovirt-engine-4.3.2-0.1.el7.noarch

Steps:
1. Add a new cluster / Change existing cluster to VNC encrypted.
2. Install a host in the cluster, check vnc_tls=1 in the /etc/libvirt/qemu.conf file.
3. Create a VM in the cluster.
4. Edit the VM to VNC console.
5. Start the VM.
6. Invoke a console to the VM.

Using tigerVNC, a connection is established and it is encrypted.
Comment 22 errata-xmlrpc 2019-05-08 12:37:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085