Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1534484

Summary: RFE: [Deployment] Encrypt vnc traffic from controller node to compute nodes if ssl_only turned on
Product: Red Hat OpenStack Reporter: Stephen Finucane <stephenfin>
Component: puppet-tripleoAssignee: Ollie Walsh <owalsh>
Status: CLOSED ERRATA QA Contact: Archit Modi <amodi>
Severity: high Docs Contact:
Priority: low    
Version: 13.0 (Queens)CC: amodi, awaugama, berrange, brault, dciabrin, eglynn, jhakimra, jjoyce, josorior, jschluet, lyarwood, markmc, mburns, mtessun, nlevinki, owalsh, pneedle, rhel-osp-director-maint, rhos-integ, sclewis, scorcora, sgordon, slinaber, srevivo, stephenfin, tvignaud, vpopovic
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/nova/+spec/websocket-proxy-to-host-security
Whiteboard: upstream_milestone_none upstream_definition_approved upstream_status_needs-code-review
Fixed In Version: puppet-tripleo-8.3.1-0.20180304033907.ed3285e.el7ost openstack-tripleo-heat-templates-8.0.0-0.20180304031147.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: encrypt_vnc_traffic Environment:
Last Closed: 2018-06-27 13:42:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1025429, 1539408, 1563173    
Bug Blocks: 1077198, 1419948, 1442136    

Comment 11 Jon Schlueter 2018-03-16 18:16:46 UTC 
removing master patch as stable/queens patch is landed
Comment 21 Damien Ciabrini 2018-04-03 10:10:29 UTC 
When deploying OSP13 2018-03-29.1, I get a deployment failure at Step1:

        "Notice: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Exec[tripleo-ca-crl-process-command]: Dependency File[tripleo-ca-crl] has failures: true", 

Which apparently is due to a SELinux denial:

    [root@compute-1 ~]# /usr/bin/getcert list -i libvirt-vnc-server-cert
    Number of certificates and requests being tracked: 4.
    Request ID 'libvirt-vnc-server-cert':
            status: NEED_CA_CERT_SAVE_PERMS
            stuck: yes
            key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/server-key.pem'
            certificate: type=FILE,location='/etc/pki/libvirt-vnc/server-cert.pem'
            CA: IPA
            issuer:
            subject:
            expires: unknown
            pre-save command:
            post-save command: "systemctl reload libvirtd"
            track: yes
            auto-renew: yes
     
    [root@compute-1 ~]# grep -i denied /var/log/audit/audit.log
    type=AVC msg=audit(1522743223.463:133): avc:  denied  { create } for  pid=15813 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Comment 29 errata-xmlrpc 2018-06-27 13:42:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086