libvirt: Generic Framework for Securing VNC and SPICE Proxy-To-Compute-Node Connections

Registered by Solly Ross

Currently, while the noVNC and HTML5 SPICE clients can use TLS-encrypted
WebSockets to communicate with Websockify (and authenticate with Nova console
tokens), the encryption and authentication ends there. There are neither
encryption nor authentication between Websockify and the hypervisors'
VNC and SPICE servers.

This blueprint would propose introducing a generic framework for supporting
MITM security for Websockify to use between itself and the compute nodes.

Blueprint information

Status:
Complete
Approver:
John Garbutt
Priority:
Medium
Drafter:
Solly Ross
Direction:
Approved
Assignee:
Stephen Finucane
Definition:
Approved
Series goal:
Accepted for queens
Implementation:
Implemented
Milestone target:
milestone icon queens-3
Started by
Matt Riedemann
Completed by
Matt Riedemann

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/to,n,z

Addressed by: https://review.openstack.org/86422
    Blueprint to use VeNCrypt between proxy and node

Gerrit topic: https://review.openstack.org/#q,topic:bp/for,n,z

Addressed by: https://review.openstack.org/126958
    Blueprint for Websockify security proxy framework

Not enough positive reviews on this code for it to make kilo-1, moving to kilo-2 --johnthetubaguy 17th December 2014

Sorry, we have now hit the non-priority feature freeze for kilo. Please resubmit your spec for the L release. -- ttx on behalf of johnthetubaguy 5th Feb 2015

Addressed by: https://review.openstack.org/207006
    Blueprint for Websockify security proxy framework

Pending Patches
=============

Gerrit topic: https://review.openstack.org/#q,topic:bp/websocket-proxy-to-host-security,n,z

Addressed by: https://review.openstack.org/115483
    Introduce VNC Security Proxy Framework

Addressed by: https://review.openstack.org/115484
    Add VeNCrypt (TLS/x509) Security Proxy Driver

Sorry, we have now hit the Non-Priority Feature Freeze for Mitaka. For more details please see: http://docs.openstack.org/releases/schedules/mitaka.html#m-nova-npff and http://docs.openstack.org/developer/nova/process.html#non-priority-feature-freeze
--johnthetubaguy 2016.01.31

Gerrit topic: https://review.openstack.org/#q,topic:bp/proposes,n,z

Addressed by: https://review.openstack.org/284093
    Websockify security proxy framework

Doesn't look like anything was pushed up for code for this so I'm deferring for Newton. -- mriedem 20160629

Sorry, I didn't realize the series was being updated under https://review.openstack.org/#/q/topic:bp/websocket-proxy-to-host-security - I'll toggle the LP bits here again. -- mriedem 20160630

There are still pending changes for this and we're not at non-priority blueprint feature freeze for Newton. -- mriedem 20160701

Addressed by: https://review.openstack.org/345396
    console: introduce basic framework for security proxying

Addressed by: https://review.openstack.org/345397
    console: introduce framework for RFB authentication

Addressed by: https://review.openstack.org/345398
    console: introduce the VeNCrypt RFB authentication scheme

Addressed by: https://review.openstack.org/345399
    console: provide an RFB security proxy implementation

Addressed by: https://review.openstack.org/346821
    Websockify security proxy framework

Re-approved for Ocata. -- mriedem 20161031

We're now past the feature freeze for Ocata so I've deferred this to Pike. -- mriedem 20170128

Addressed by: https://review.openstack.org/443234
    Websockify security proxy framework

Re-approved for Pike. -- mriedem 20170310

Addressed by: https://review.openstack.org/485733
    DNM: Try to figure out what the tenant is returning

We're past feature freeze for Pike so I'm deferring this to Queens. Please re-propose the spec for re-approval in Queens and make any adjustments to the spec as necessary if the design has changed. -- mriedem 20170728

Addressed by: https://review.openstack.org/496160
    Websockify security proxy framework

Addressed by: https://review.openstack.org/500544
    doc: Document TLS security setup for noVNC proxy

Re-approved for Queens. -- mriedem 20171003

Addressed by: https://review.openstack.org/531833
    fixup! console: introduce the VeNCrypt RFB authentication scheme

Addressed by: https://review.openstack.org/531834
    console: Send bytes to sockets

Addressed by: https://review.openstack.org/534368
    Fix accumulated nits

Addressed by: https://review.openstack.org/534724
    doc: Remove duplicate 'vnc' config opt descriptions

We still need to work on enabling this in our 'nova-next' CI job for test coverage, but the code and documentation itself is merged in nova for Queens so I'm marking the blueprint complete. -- mriedem 20180122

(?)

Work Items