Bug 1025429 (encrypt_vnc_traffic) - RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on
Summary: RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only tu...
Keywords:
Status: CLOSED ERRATA
Alias: encrypt_vnc_traffic
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
high
Target Milestone: Upstream M3
: 13.0 (Queens)
Assignee: Stephen Finucane
QA Contact: Archit Modi
URL: https://blueprints.launchpad.net/nova...
Whiteboard: upstream_milestone_none upstream_defi...
: 865343 1086964 1449307 1484394 (view as bug list)
Depends On: 1554444
Blocks: 1419948 1442136 1077198 1534484 1539408
TreeView+ depends on / blocked
 
Reported: 2013-10-31 16:35 UTC by Vladan Popovic
Modified: 2020-06-11 12:35 UTC (History)
16 users (show)

Fixed In Version: openstack-nova-17.0.1-0.20180302144923.9ace6ed.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1534484 1539408 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:26:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 345399 None MERGED console: Provide an RFB security proxy implementation 2020-08-26 15:08:23 UTC
OpenStack gerrit 496160 None MERGED Websockify security proxy framework 2020-08-26 15:08:23 UTC
Red Hat Product Errata RHEA-2018:2086 normal SHIPPED_LIVE Red Hat OpenStack Platform 13.0 Enhancement Advisory 2018-06-28 19:51:39 UTC

Description Vladan Popovic 2013-10-31 16:35:01 UTC
Description of problem:

If we break the novnc connections into three parts as below:

 client browser (1) -----> novnc proxy (2)  ------> compute node (3)

Then the present status is: connection from browser to proxy is encrypted, while the nonvnc proxy(on controller nodes) to compute nodes are NOT.

We would like the novnc traffic from controller node to compute nodes be encrypted as wel.

Comment 4 Stephen Gordon 2014-01-22 15:42:14 UTC
I think we need to raise a BP for this upstream to get things moving.

Comment 6 Solly Ross 2014-10-23 16:02:14 UTC
*** Bug 865343 has been marked as a duplicate of this bug. ***

Comment 7 Solly Ross 2014-10-23 19:50:25 UTC
This was accepted for Juno but the code didn't get merged due to review bandwidth.

The blueprint has been re-introduced and should make it in for Kilo.

Comment 8 Solly Ross 2014-11-11 20:50:51 UTC
The blueprint was accepted, and code has been posted to upstream Gerrit.

Comment 10 Eoghan Glynn 2015-03-03 17:25:49 UTC
The upstream patch:

  https://review.openstack.org/115483

has missed the Kilo window and been deferred to Liberty-1, bumping this BZ appropriately.

Comment 16 Daniel Berrangé 2015-09-08 15:13:08 UTC
This patch missed Liberty too, but I will take it up again for Mitaka. The code is basically done, so hopefully it is a exercise in rubber stamping the code review.

Comment 17 Stephen Gordon 2016-02-02 20:22:25 UTC
(In reply to Daniel Berrange from comment #16)
> This patch missed Liberty too, but I will take it up again for Mitaka. The
> code is basically done, so hopefully it is a exercise in rubber stamping the
> code review.

Unfortunately it looks like we missed Mitaka (not for want of trying), moving to next release.

Comment 19 Stephen Gordon 2016-07-07 16:06:07 UTC
Missed Newton freeze, moving out to Ocata.

Comment 27 Stephen Finucane 2017-09-01 08:38:31 UTC
*** Bug 1484394 has been marked as a duplicate of this bug. ***

Comment 29 Stephen Finucane 2017-10-06 13:54:43 UTC
*** Bug 1449307 has been marked as a duplicate of this bug. ***

Comment 30 Stephen Finucane 2017-10-06 13:54:51 UTC
*** Bug 1086964 has been marked as a duplicate of this bug. ***

Comment 33 Stephen Finucane 2018-01-10 16:39:28 UTC
Reviews available here https://review.openstack.org/#/q/branch:master+topic:bp/websocket-proxy-to-host-security

Comment 35 Stephen Finucane 2018-03-15 15:55:52 UTC
Sorry for the delay.

Comment 37 Stephen Finucane 2018-03-15 16:03:18 UTC
The various patches, all of which have now landed, can be viewed here:

https://review.openstack.org/#/q/(status:merged+OR+status:open)+branch:master+topic:bp/websocket-proxy-to-host-security

Comment 41 errata-xmlrpc 2018-06-27 13:26:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.