Bug 1025429 – RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1025429 - (encrypt_vnc_traffic) RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only turned on

Summary:	RFE: encrypt vnc traffic from controller node to compute nodes if ssl_only tu...

Status:	CLOSED ERRATA

Aliases:	encrypt_vnc_traffic

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	low Severity high
Target Milestone:	Upstream M3
Target Release:	13.0 (Queens)
Assigned To:	Stephen Finucane
QA Contact:	Archit Modi
Docs Contact:

URL:	https://blueprints.launchpad.net/nova...
Whiteboard:	upstream_milestone_none upstream_defi...
Keywords:	FutureFeature, Triaged

Duplicates:	865343 1086964 1449307 1484394 (view as bug list)
Depends On:	1554444
Blocks:	1419948 1442136 1077198 1534484 1539408
	Show dependency tree / graph

Reported:	2013-10-31 12:35 EDT by Vladan Popovic
Modified:	2018-06-27 09:26 EDT (History)
CC List:	17 users (show)

See Also:
Fixed In Version:	openstack-nova-17.0.1-0.20180302144923.9ace6ed.el7ost
Doc Type:	Enhancement
Doc Text:
Story Points:	---
Clone Of:
Clones:	1534484 1539408 (view as bug list)
Environment:
Last Closed:	2018-06-27 09:26:22 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	345399	None	None	None	2018-03-15 12:01 EDT
OpenStack gerrit	496160	None	None	None	2018-03-15 11:55 EDT
Red Hat Product Errata	RHEA-2018:2086	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 13.0 Enhancement Advisory	2018-06-28 15:51:39 EDT

Groups: None (edit)

Description Vladan Popovic 2013-10-31 12:35:01 EDT

Description of problem:

If we break the novnc connections into three parts as below:

 client browser (1) -----> novnc proxy (2)  ------> compute node (3)

Then the present status is: connection from browser to proxy is encrypted, while the nonvnc proxy(on controller nodes) to compute nodes are NOT.

We would like the novnc traffic from controller node to compute nodes be encrypted as wel.

Comment 4 Stephen Gordon 2014-01-22 10:42:14 EST

I think we need to raise a BP for this upstream to get things moving.

Comment 6 Solly Ross 2014-10-23 12:02:14 EDT

*** Bug 865343 has been marked as a duplicate of this bug. ***

Comment 7 Solly Ross 2014-10-23 15:50:25 EDT

This was accepted for Juno but the code didn't get merged due to review bandwidth.

The blueprint has been re-introduced and should make it in for Kilo.

Comment 8 Solly Ross 2014-11-11 15:50:51 EST

The blueprint was accepted, and code has been posted to upstream Gerrit.

Comment 10 Eoghan Glynn 2015-03-03 12:25:49 EST

The upstream patch:

  https://review.openstack.org/115483

has missed the Kilo window and been deferred to Liberty-1, bumping this BZ appropriately.

Comment 16 Daniel Berrange 2015-09-08 11:13:08 EDT

This patch missed Liberty too, but I will take it up again for Mitaka. The code is basically done, so hopefully it is a exercise in rubber stamping the code review.

Comment 17 Stephen Gordon 2016-02-02 15:22:25 EST

(In reply to Daniel Berrange from comment #16)
> This patch missed Liberty too, but I will take it up again for Mitaka. The
> code is basically done, so hopefully it is a exercise in rubber stamping the
> code review.

Unfortunately it looks like we missed Mitaka (not for want of trying), moving to next release.

Comment 19 Stephen Gordon 2016-07-07 12:06:07 EDT

Missed Newton freeze, moving out to Ocata.

Comment 27 Stephen Finucane 2017-09-01 04:38:31 EDT

*** Bug 1484394 has been marked as a duplicate of this bug. ***

Comment 29 Stephen Finucane 2017-10-06 09:54:43 EDT

*** Bug 1449307 has been marked as a duplicate of this bug. ***

Comment 30 Stephen Finucane 2017-10-06 09:54:51 EDT

*** Bug 1086964 has been marked as a duplicate of this bug. ***

Comment 33 Stephen Finucane 2018-01-10 11:39:28 EST

Reviews available here https://review.openstack.org/#/q/branch:master+topic:bp/websocket-proxy-to-host-security

Comment 35 Stephen Finucane 2018-03-15 11:55:52 EDT

Sorry for the delay.

Comment 37 Stephen Finucane 2018-03-15 12:03:18 EDT

The various patches, all of which have now landed, can be viewed here:

https://review.openstack.org/#/q/(status:merged+OR+status:open)+branch:master+topic:bp/websocket-proxy-to-host-security

Comment 41 errata-xmlrpc 2018-06-27 09:26:22 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.