Bug 1534484 - RFE: [Deployment] Encrypt vnc traffic from controller node to compute nodes if ssl_only turned on
Summary: RFE: [Deployment] Encrypt vnc traffic from controller node to compute nodes i...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: 13.0 (Queens)
Assignee: Ollie Walsh
QA Contact: Archit Modi
URL: https://blueprints.launchpad.net/nova...
Whiteboard: upstream_milestone_none upstream_defi...
Depends On: encrypt_vnc_traffic 1539408 1563173
Blocks: 1419948 1442136 1077198
TreeView+ depends on / blocked
Reported: 2018-01-15 10:51 UTC by Stephen Finucane
Modified: 2019-09-09 15:08 UTC (History)
27 users (show)

Fixed In Version: puppet-tripleo-8.3.1-0.20180304033907.ed3285e.el7ost openstack-tripleo-heat-templates-8.0.0-0.20180304031147.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of: encrypt_vnc_traffic
Last Closed: 2018-06-27 13:42:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 535698 None master: MERGED puppet-nova: Add support for VNC TLS (I24a9841ba04c95df27599b4d7ac2da8416e751e5) 2018-03-16 18:14:10 UTC
OpenStack gerrit 536404 None master: MERGED puppet-tripleo: Add support for libvirt VNC TLS with option of a dedicated CA (Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8... 2018-03-16 18:14:03 UTC
OpenStack gerrit 550093 None stable/queens: MERGED tripleo-heat-templates: Add support for libvirt VNC TLS (I67ffd847dc2d1949833a9d7039ad51e4364e02da) 2018-03-16 18:13:51 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:42:55 UTC

Comment 11 Jon Schlueter 2018-03-16 18:16:46 UTC
removing master patch as stable/queens patch is landed

Comment 21 Damien Ciabrini 2018-04-03 10:10:29 UTC
When deploying OSP13 2018-03-29.1, I get a deployment failure at Step1:

        "Notice: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Exec[tripleo-ca-crl-process-command]: Dependency File[tripleo-ca-crl] has failures: true", 

Which apparently is due to a SELinux denial:

    [root@compute-1 ~]# /usr/bin/getcert list -i libvirt-vnc-server-cert
    Number of certificates and requests being tracked: 4.
    Request ID 'libvirt-vnc-server-cert':
            status: NEED_CA_CERT_SAVE_PERMS
            stuck: yes
            key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/server-key.pem'
            certificate: type=FILE,location='/etc/pki/libvirt-vnc/server-cert.pem'
            CA: IPA
            expires: unknown
            pre-save command:
            post-save command: "systemctl reload libvirtd"
            track: yes
            auto-renew: yes
    [root@compute-1 ~]# grep -i denied /var/log/audit/audit.log
    type=AVC msg=audit(1522743223.463:133): avc:  denied  { create } for  pid=15813 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

Comment 29 errata-xmlrpc 2018-06-27 13:42:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.