blob: bd7cb627832ba2720c4c89f64e5f9e61023c2fb2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
---
features:
- |
Added a number of new configuration options to the ``[vnc]`` group, which
together allow for the configuration of authentication used between the
*nova-novncproxy* server and the compute node VNC server.
- ``auth_schemes``
- ``vencrypt_client_key``
- ``vencrypt_client_cert``
- ``vencrypt_ca_certs``
For more information, refer to `the documentation`__.
__ https://docs.openstack.org/nova/latest/admin/remote-console-access.html
- |
The *nova-novncproxy* server can now be configured to do a security
negotiation with the compute node VNC server. If the VeNCrypt auth scheme
is enabled, this establishes a TLS session to provide encryption of all
data. The proxy will validate the x509 certs issued by the remote server to
ensure it is connecting to a valid compute node. The proxy can also send
its own x509 cert to allow the compute node to validate that the connection
comes from the official proxy server.
To make use of VeNCrypt, configuration steps are required for both the
`nova-novncproxy` service and libvirt on all the compute nodes. The
``/etc/libvirt/qemu.conf`` file should be modified to set the ``vnc_tls``
option to ``1``, and optionally the ``vnc_tls_x509_verify`` option to
``1``. Certificates must also be deployed on the compute node.
The ``nova.conf`` file should have the ``auth_schemes`` parameter in the
``vnc`` group set. If there are a mix of compute nodes, some with VeNCrypt
enabled and others with it disabled, then the ``auth_schemes``
configuration option should be set to ``['vencrypt', 'none']``.
Once all compute nodes have VeNCrypt enabled, the ``auth_schemes``
parameter can be set to just ``['vencrypt']``.
For more information, refer to `the documentation`__.
__ https://docs.openstack.org/nova/latest/admin/remote-console-access.html
|
