OpenStack Compute (nova)

Enable tls mode for console access in openstack

Registered by Meghal Gosalia

Both spice and vnc have tls mode configuration available in qemu.conf.
If it is turned on, additional tls port is opened up for spice/vnc which accepts SSL connection.

Currently openstack provides a way to connect to the spice/vnc console of vm
using nova-spicehtml5proxy or nova-novncproxy.

These proxies connect to the console using non-SSL socket.
There should be a configuration option provided in nova.conf called tls_mode.
If tls_mode is turned on, then the proxy will attempt to connect to the spice/vnc tls port using SSL connection.

This will help encrypt all connections from proxy to the console.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Meghal Gosalia
Direction:
Needs approval
Assignee:
Meghal Gosalia
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
John Garbutt

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/console-tls-mode,n,z

Addressed by: https://review.openstack.org/101026
    In this blueprint, we aim to connect to spice/vnc console of the vm using SSL wrapped socket, if enabled in the configuration.

Gerrit topic: https://review.openstack.org/#q,topic:bp/to,n,z

Please see:
https://blueprints.launchpad.net/nova/+spec/websocket-proxy-to-host-security

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.