1025429 – (encrypt_vnc_traffic) RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on

Bug 1025429 (encrypt_vnc_traffic) - RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on

Summary: RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only tu...

Keywords:
Status:	CLOSED ERRATA
Alias:	encrypt_vnc_traffic
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	high
Target Milestone:	Upstream M3
Target Release:	13.0 (Queens)
Assignee:	Stephen Finucane
QA Contact:	Archit Modi
Docs Contact:
URL:	https://blueprints.launchpad.net/nova...
Whiteboard:	upstream_milestone_none upstream_defi...
Duplicates (4):	865343 1086964 1449307 1484394 (view as bug list)
Depends On:	1554444
Blocks:	1419948 1442136 1077198 1534484 1539408
TreeView+	depends on / blocked

Reported:	2013-10-31 16:35 UTC by Vladan Popovic
Modified:	2020-06-11 12:35 UTC (History)
CC List:	16 users (show)
Fixed In Version:	openstack-nova-17.0.1-0.20180302144923.9ace6ed.el7ost
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	1534484 1539408 (view as bug list)
Environment:
Last Closed:	2018-06-27 13:26:22 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	345399	None	MERGED	console: Provide an RFB security proxy implementation	2020-08-26 15:08:23 UTC
OpenStack gerrit	496160	None	MERGED	Websockify security proxy framework	2020-08-26 15:08:23 UTC
Red Hat Product Errata	RHEA-2018:2086	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 13.0 Enhancement Advisory	2018-06-28 19:51:39 UTC

Description Vladan Popovic 2013-10-31 16:35:01 UTC

Description of problem:

If we break the novnc connections into three parts as below:

 client browser (1) -----> novnc proxy (2)  ------> compute node (3)

Then the present status is: connection from browser to proxy is encrypted, while the nonvnc proxy(on controller nodes) to compute nodes are NOT.

We would like the novnc traffic from controller node to compute nodes be encrypted as wel.

Comment 4 Stephen Gordon 2014-01-22 15:42:14 UTC

I think we need to raise a BP for this upstream to get things moving.

Comment 6 Solly Ross 2014-10-23 16:02:14 UTC

*** Bug 865343 has been marked as a duplicate of this bug. ***

Comment 7 Solly Ross 2014-10-23 19:50:25 UTC

This was accepted for Juno but the code didn't get merged due to review bandwidth.

The blueprint has been re-introduced and should make it in for Kilo.

Comment 8 Solly Ross 2014-11-11 20:50:51 UTC

The blueprint was accepted, and code has been posted to upstream Gerrit.

Comment 10 Eoghan Glynn 2015-03-03 17:25:49 UTC

The upstream patch:

  https://review.openstack.org/115483

has missed the Kilo window and been deferred to Liberty-1, bumping this BZ appropriately.

Comment 16 Daniel Berrangé 2015-09-08 15:13:08 UTC

This patch missed Liberty too, but I will take it up again for Mitaka. The code is basically done, so hopefully it is a exercise in rubber stamping the code review.

Comment 17 Stephen Gordon 2016-02-02 20:22:25 UTC

(In reply to Daniel Berrange from comment #16)
> This patch missed Liberty too, but I will take it up again for Mitaka. The
> code is basically done, so hopefully it is a exercise in rubber stamping the
> code review.

Unfortunately it looks like we missed Mitaka (not for want of trying), moving to next release.

Comment 19 Stephen Gordon 2016-07-07 16:06:07 UTC

Missed Newton freeze, moving out to Ocata.

Comment 27 Stephen Finucane 2017-09-01 08:38:31 UTC

*** Bug 1484394 has been marked as a duplicate of this bug. ***

Comment 29 Stephen Finucane 2017-10-06 13:54:43 UTC

*** Bug 1449307 has been marked as a duplicate of this bug. ***

Comment 30 Stephen Finucane 2017-10-06 13:54:51 UTC

*** Bug 1086964 has been marked as a duplicate of this bug. ***

Comment 33 Stephen Finucane 2018-01-10 16:39:28 UTC

Reviews available here https://review.openstack.org/#/q/branch:master+topic:bp/websocket-proxy-to-host-security

Comment 35 Stephen Finucane 2018-03-15 15:55:52 UTC

Sorry for the delay.

Comment 37 Stephen Finucane 2018-03-15 16:03:18 UTC

The various patches, all of which have now landed, can be viewed here:

https://review.openstack.org/#/q/(status:merged+OR+status:open)+branch:master+topic:bp/websocket-proxy-to-host-security

Comment 41 errata-xmlrpc 2018-06-27 13:26:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.