How to select virtual consoles

One decision a cloud architect will need to make regarding Compute service configuration is whether to use VNC or SPICE.

Virtual Network Computer (VNC)

OpenStack can be configured to provide remote desktop console access to instances for tenants and administrators using the Virtual Network Computer (VNC) protocol.

Capabilities

  1. The OpenStack Dashboard (horizon) can provide a VNC console for instances directly on the web page using the HTML5 noVNC client. This requires the nova-novncproxy service to bridge from the public network to the management network.

  2. The nova command-line utility can return a URL for the VNC console for access by the nova Java VNC client. This requires the nova-xvpvncproxy service to bridge from the public network to the management network.

Security considerations

  1. The nova-novncproxy and nova-xvpvncproxy services by default open public-facing ports that are token authenticated.

  2. By default, the remote desktop traffic is not encrypted. TLS can be enabled to encrypt the VNC traffic. Refer to Introduction to TLS and SSL for appropriate recommendations.

Bibliography

  1. blog.malchuk.ru, OpenStack VNC Security. 2013. Secure Connections to VNC ports

  2. OpenStack Mailing List, [OpenStack] nova-novnc SSL configuration - Havana. 2014. OpenStack nova-novnc SSL Configuration

  3. Redhat.com/solutions, Using SSL Encryption with OpenStack nova-novacproxy. 2014. OpenStack nova-novncproxy SSL encryption

Simple Protocol for Independent Computing Environments (SPICE)

As an alternative to VNC, OpenStack provides remote desktop access to guest virtual machines using the Simple Protocol for Independent Computing Environments (SPICE) protocol.

Capabilities

  1. SPICE is supported by the OpenStack Dashboard (horizon) directly on the instance web page. This requires the nova-spicehtml5proxy service.

  2. The nova command-line utility can return a URL for SPICE console for access by a SPICE-html client.

Limitations

  1. Although SPICE has many advantages over VNC, the spice-html5 browser integration currently does not allow administrators to take advantage of the benefits. To take advantage of SPICE features like multi-monitor, USB pass through, we recommend administrators use a standalone SPICE client within the management network.

Security considerations

  1. The nova-spicehtml5proxy service by default opens public-facing ports that are token authenticated.

  2. The functionality and integration are still evolving. We will access the features in the next release and make recommendations.

  3. As is the case for VNC, at this time we recommend using SPICE from the management network in addition to limiting use to few individuals.

Bibliography

  1. OpenStack Admin Guide. SPICE Console. SPICE Console.

  2. bugzilla.redhat.com, Bug 913607 - RFE: Support Tunnelling SPICE over websockets. 2013. RedHat bug 913607.