This patch adds the following SPICE-related configuration option
to the 'spice' configuration group:
- require_secure
When set to true, libvirt will be provided with domain XML which
configures SPICE VDI consoles to require secure connections (that
is, connections protected by TLS). Attempts to connect without
TLS will receive an error indicating they should retry the connection
on the TLS port.
Change-Id: Ica7083b0836f8d66cad8a4b4097613103fc91560
RDP console was only for HyperV driver so removing the
API. As API url stay same (because same used for other
console types API), RDP console API will return 400.
Cleaning up the related config options as well as moving its
API ref to obsolete seciton.
Keeping RPC method to avoid error when old controller is used
with new compute. It can be removed in next RPC version bump.
Change-Id: I8f5755009da4af0d12bda096d7a8e85fd41e1a8c
This patch adds the following SPICE-related options to the 'spice'
configuration group of a Nova configuration:
- image_compression
- jpeg_compression
- zlib_compression
- playback_compression
- streaming_mode
These configuration options can be used to enable and set the SPICE
compression settings for libvirt (QEMU/KVM) provisioned instances.
Each configuration option is optional and can be set explictly to
configure the associated SPICE compression setting for libvirt. If all
configuration options are not set, then none of the SPICE compression
settings will be configured for libvirt, which corresponds to the
behavior before this change. In this case, the built-in defaults from
the libvirt backend (e.g. QEMU) are used.
Note that those options are only taken into account if SPICE support is
enabled (and the VNC support is disabled).
Implements: blueprint nova-support-spice-compression-algorithm
Change-Id: Ia7efeb1b1a04504721e1a5bdd1b5fa7a87cdb810
These options were deprecated way back in Rocky due to buggy behavior
they introduced. We can remove them now.
Change-Id: I9266edfd4ea6315239c54ff8d91e37d197c760c0
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The console proxies (VNC, SPICE, etc) currently don't allow the
allowed TLS ciphers and protocol versions to be configurable. This
results in the defaults being used from the underlying system,
which may not be secure enough for many deployments. This patch
allows for the ciphers and minimum SSL/TLS protocol version for
each console proxy to be configured in nova's config.
We utilize websockify underneath our console proxies, which added
support for allowed ciphers and the SSL/TLS version to be
configurable as of version 0.9.0. This change updates the lower
constraint for this dependency.
Closes-Bug: #1842149
Related-Bug: #1771773
Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5
This legacy service is no longer used and was deprecated during the
Stein cycle [1]. It's time to say adios and remove them in their
entirety. This is pretty straightforward, with the sole exception of
schema for the 'remote-consoles' API, which has to continue supporting
requests for type 'xvpvnc' even if we can't fulfil those requests now.
[1] https://review.opendev.org/#/c/610076/
Part of blueprint remove-xvpvncproxy
Depends-On: https://review.opendev.org/695853
Change-Id: I2f7f2379d0cd54e4d0a91008ddb44858cfc5a4cf
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
As discussed on the following review:
https://review.opendev.org/674916
this adds a note indicating that the version of noVNC needs to be at
least v1.1.0 in order for the nova-novncproxy to work with ESX/ESXi
hypervisors.
Related-Bug: #1822676
Change-Id: Ia4ba37b6d6a1e4b5c75e38f4bcc2bea1d9ba9560
We're going to remove all the code, but first, remove the docs.
Part of blueprint remove-consoleauth
Change-Id: Ie96e18ea7762b93b4116b35d7ebcfcbe53c55527
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Starting in noVNC v1.1.0, the token query parameter is no longer
forwarded via cookie [1]. We must instead use the 'path' query
parameter to pass the token through to the websocketproxy [2].
This means that if someone deploys noVNC v1.1.0, VNC consoles will
break in nova because the code is relying on the cookie functionality
that v1.1.0 removed.
This modifies the ConsoleAuthToken.access_url property to include the
'path' query parameter as part of the returned access_url that the
client will use to call the console proxy service.
This change is backward compatible with noVNC < v1.1.0. The 'path' query
parameter is a long supported feature in noVNC.
Co-Authored-By: melanie witt <melwittt@gmail.com>
Closes-Bug: #1822676
[1] https://github.com/novnc/noVNC/commit/51f9f0098d306bbc67cc8e02ae547921b6f6585c
[2] https://github.com/novnc/noVNC/pull/1220
Change-Id: I2ddf0f4d768b698e980594dd67206464a9cea37b
These were missed in I08991796aaced2abc824f608108c0c786181eb65.
Change-Id: Ibb31d7d8460c6376f42bcb65c94796d5e68f3d9d
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
- Move deprecated services to the end of the document
- Update incorrect information regarding nova-consoleauth
- Move configuration options that were specified for the wrong service
- Don't give the impression that the serial console is libvirt-only
Change-Id: Ie0fd987a1e5c130b8e31c84910814d5d051f2b31
The installation of the nova-consoleauth service was erroneously
removed from the docs prematurely. The nova-consoleauth service
is still being used in Rocky, with the removal being possible in
Stein.
This should have been fixed as part of change
Ibbdc7c50c312da2acc59dfe64de95a519f87f123 but was missed.
This is also related to the release note update in Rocky
under change Ie637b4871df8b870193b5bc07eece15c03860c06.
Co-Authored-By: Matt Riedemann <mriedem.os@gmail.com>
Closes-Bug: #1793255
Related-Bug: #1798188
Change-Id: Ied268da9e70bd2807c2dfe7a479181fbec52979d
This is a relic that has long since been replaced by the noVNC proxy
service. Start preparing for its removal.
Change-Id: Icb225dec3ad291b751e475bd3703ce0eb30b44db
I did know this was a thing but only barely. As with RDP, the
documentation is very minimal but it should contain enough pointers for
anyone playing with this stuff.
Change-Id: I0b62d42eae7c325566ee065dcdc0f73b7223d471
I didn't even know this was a thing. Call it out...and promptly link to
the Cloudbase documentation, which I don't want to reproduce here for
reasons of expediency.
Change-Id: I4416bf5c5c4e906bcfdeec5a7ae41f747029a292
The link between the various consoles was never well understood (by me,
at least). Clarify this by restructuring the document to highlight the
few differences between these services.
Change-Id: I08991796aaced2abc824f608108c0c786181eb65
noVNC 1.0.0 has the fix for non-US key mappings so this adds a simple
note when installing the novnc package that at least 1.0.0 should be
used for non-US key map support.
Change-Id: Ia1a84c986025f8a46c1062440faa0deb1d2d73a5
Related-Bug: #1682020
The nova noVNC proxy server has gained the ability to use the VeNCrypt
authentication scheme to secure network communications with the compute
node VNC servers. This documents how to configure the QEMU/KVM compute
nodes and the noVNC proxy server nodes.
Change-Id: If3cea87568efff0874cd8851cabc6770812c545b
Blueprint: websocket-proxy-to-host-security
Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
The serial console feature is a little unknown and it's a little
confusing at first. This change adds a doc to explain this better.
Change-Id: Ia5a336694aec95db29545e31b2c6b364dd825a15
Import all docs from openstack-manuals.
Part of bp: doc-migration
Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972
Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
Michael Still