仮想コンソールの選択方法

One decision a cloud architect will need to make regarding Compute service configuration is whether to use VNC or SPICE.

Virtual Network Computer (VNC)

OpenStack can be configured to provide remote desktop console access to instances for tenants and administrators using the Virtual Network Computer (VNC) protocol.

機能

  1. The OpenStack Dashboard (horizon) can provide a VNC console for instances directly on the web page using the HTML5 noVNC client. This requires the nova-novncproxy service to bridge from the public network to the management network.

  2. The nova command-line utility can return a URL for the VNC console for access by the nova Java VNC client. This requires the nova-xvpvncproxy service to bridge from the public network to the management network.

セキュリティの課題

  1. The nova-novncproxy and nova-xvpvncproxy services by default open public-facing ports that are token authenticated.

  2. By default, the remote desktop traffic is not encrypted. TLS can be enabled to encrypt the VNC traffic. Refer to TLS と SSL の導入 for appropriate recommendations.

参考資料

  1. blog.malchuk.ru, OpenStack VNC Security. 2013. Secure Connections to VNC ports

  2. OpenStack Mailing List, [OpenStack] nova-novnc SSL configuration - Havana. 2014. OpenStack nova-novnc SSL Configuration

  3. Redhat.com/solutions, Using SSL Encryption with OpenStack nova-novacproxy. 2014. OpenStack nova-novncproxy SSL encryption

Simple Protocol for Independent Computing Environments (SPICE)

VNC の代替として、OpenStack は Simple Protocol for Independent Computing Environments (SPICE) プロトコルを使用した、仮想マシンへのリモートデスクトップアクセスを提供します。

機能

  1. SPICE is supported by the OpenStack Dashboard (horizon) directly on the instance web page. This requires the nova-spicehtml5proxy service.

  2. nova コマンドラインユーティリティは SPICE-html クライアントによりアクセスするための SPICE コンソールの URL を返すことができます。

制限事項

  1. Although SPICE has many advantages over VNC, the spice-html5 browser integration currently does not allow administrators to take advantage of the benefits. To take advantage of SPICE features like multi-monitor, USB pass through, we recommend administrators use a standalone SPICE client within the management network.

セキュリティの課題

  1. The nova-spicehtml5proxy service by default opens public-facing ports that are token authenticated.

  2. 機能と統合は進化中です。次のリリースの機能を確認し、推奨事項を作成します。

  3. VNC の場合のように、今のところ数人の利用者に制限して管理ネットワークから SPICE を使用することを推奨します。

参考資料

  1. OpenStack Admin Guide. SPICE Console. SPICE Console.

  2. bugzilla.redhat.com, Bug 913607 - RFE: Support Tunnelling SPICE over websockets. 2013. RedHat bug 913607.