Bug 1597085 - [RFE] End-to-end VNC encryption for RHV VMs
Summary: [RFE] End-to-end VNC encryption for RHV VMs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.2.4
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ovirt-4.3.3
: 4.3.0
Assignee: Tomasz Barański
QA Contact: Liran Rotenberg
URL:
Whiteboard:
Depends On:
Blocks: 1520566 1633585 1640357
TreeView+ depends on / blocked
 
Reported: 2018-07-02 03:09 UTC by Marina Kalinin
Modified: 2019-05-08 12:38 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
A new option has been added to the Administration Portal under Compute > Clusters in the Console configuration screen: Enable VNC Encryption
Clone Of:
: 1633585 (view as bug list)
Environment:
Last Closed: 2019-05-08 12:37:51 UTC
oVirt Team: Virt
Target Upstream Version:
lrotenbe: testing_plan_complete+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:1085 0 None None None 2019-05-08 12:38:14 UTC
oVirt gerrit 94695 0 'None' MERGED core: WebSocketProxy handles VeNCrypt handshake 2021-02-18 22:00:10 UTC
oVirt gerrit 96382 0 'None' MERGED core: NoVNC with E2E encryption fails 2021-02-18 22:00:10 UTC

Description Marina Kalinin 2018-07-02 03:09:32 UTC 
RHV should have end to end VNC encryption for accessing its VMs via VNC.

It is possible to enable tls in qemu vnc server[1], but RHV does not use it and does not expose this option to the user via RHV portals.

How this request should be implemented:
- Provide "Enable TLS" option for VM console when VNC is chosen.
- If "Enable TLS" is selected, once VNC connection is established, it should be encrypted end to end, from client to the host.


[1] 
https://wiki.libvirt.org/page/VNCTLSSetup
Comment 11 Ryan Barry 2019-01-21 14:54:08 UTC 
Re-targeting to 4.3.1 since it is missing a patch, an acked blocker flag, or both
Comment 13 RHV bug bot 2019-02-21 17:26:11 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{'rhevm-4.3-ga': '?'}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{'rhevm-4.3-ga': '?'}', ]

For more info please contact: rhv-devops@redhat.com
Comment 20 Liran Rotenberg 2019-03-12 08:24:42 UTC 
Verified on:
ovirt-engine-4.3.2-0.1.el7.noarch

Steps:
1. Add a new cluster / Change existing cluster to VNC encrypted.
2. Install a host in the cluster, check vnc_tls=1 in the /etc/libvirt/qemu.conf file.
3. Create a VM in the cluster.
4. Edit the VM to VNC console.
5. Start the VM.
6. Invoke a console to the VM.

Using tigerVNC, a connection is established and it is encrypted.
Comment 22 errata-xmlrpc 2019-05-08 12:37:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085
Note You need to log in before you can comment on or make changes to this bug.