The Virtual Network Computing (VNC) provides a remote console or remote desktop access to guest virtual machines through either the OpenStack dashboard or the command-line interface. The OpenStack Compute service users can access their instances using the VNC clients through the VNC proxy. MCP enables you to encrypt the communication between the VNC clients and OpenStack compute nodes with TLS.
Note
The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.
To enable TLS encryption for VNC:
Open your Reclass model Git repository on the cluster level.
Enable the TLS encryption of communications between the OpenStack compute nodes and VNC proxy:
Note
The data encryption over TLS between the OpenStack compute nodes and VNC proxy is supported starting with the OpenStack Pike release.
In openstack/compute/init.yml
, enable the TLS encryption on the
OpenStack compute nodes:
- system.nova.compute.libvirt.ssl.vnc
parameters:
_param:
...
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
In openstack/control.yml
, enable the TLS encryption on the VNC proxy:
- system.nova.control.novncproxy.tls
parameters:
_param:
...
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
In openstack/proxy.yml
, define the HTTPS protocol for the
nginx_proxy_novnc
site:
nginx:
server:
site:
nginx_proxy_novnc:
proxy:
protocol: https
Enable the TLS encryption of communications between VNC proxy and VNC
clients in openstack/control.yml
:
Note
The data encryption over TLS between VNC proxy and VNC clients is supported starting with the OpenStack Queens release.
nova:
controller:
novncproxy:
tls:
enabled: True
Available from 2019.2.4 Optional. Specify a required TLS version and allowed SSL ciphers to use by the Nova console proxy server:
nova:
controller:
novncproxy:
tls:
enabled: True
version: <tls version>
ciphers: <ciphers>
<tls_version>
value is one of default
, tlsv1_1
,
tlsv1_2
, or tlsv1_3
. Depending on your Python version,
not all TLS versions may be available, in which case a graceful fallback
to the newest possible version will be performed.<ciphers>
value is a coma-separated list of allowed SSL ciphers,
depending on your system and OpenSSL version. To obtain the list of
available ciphers, run openssl ciphers on an OpenStack
controller node.Apply the changes:
salt 'cmp*' state.apply nova
salt 'ctl*' state.apply nova
salt 'prx*' state.apply nginx