How to select virtual consoles¶
Virtual Network Computer (VNC)¶
OpenStack can be configured to provide remote desktop console access to instances for tenants and administrators using the Virtual Network Computer (VNC) protocol.
The OpenStack Dashboard (horizon) can provide a VNC console for instances directly on the web page using the HTML5 noVNC client. This requires the
nova-novncproxyservice to bridge from the public network to the management network.
novacommand-line utility can return a URL for the VNC console for access by the nova Java VNC client. This requires the
nova-xvpvncproxyservice to bridge from the public network to the management network.
nova-xvpvncproxyservices by default open public-facing ports that are token authenticated.
By default, the remote desktop traffic is not encrypted. TLS can be enabled to encrypt the VNC traffic. Refer to Introduction to TLS and SSL for appropriate recommendations.
blog.malchuk.ru, OpenStack VNC Security. 2013. Secure Connections to VNC ports
OpenStack Mailing List, [OpenStack] nova-novnc SSL configuration - Havana. 2014. OpenStack nova-novnc SSL Configuration
Redhat.com/solutions, Using SSL Encryption with OpenStack nova-novacproxy. 2014. OpenStack nova-novncproxy SSL encryption
Simple Protocol for Independent Computing Environments (SPICE)¶
As an alternative to VNC, OpenStack provides remote desktop access to guest virtual machines using the Simple Protocol for Independent Computing Environments (SPICE) protocol.
SPICE is supported by the OpenStack Dashboard (horizon) directly on the instance web page. This requires the
The nova command-line utility can return a URL for SPICE console for access by a SPICE-html client.
Although SPICE has many advantages over VNC, the spice-html5 browser integration currently does not allow administrators to take advantage of the benefits. To take advantage of SPICE features like multi-monitor, USB pass through, we recommend administrators use a standalone SPICE client within the management network.
nova-spicehtml5proxyservice by default opens public-facing ports that are token authenticated.
The functionality and integration are still evolving. We will access the features in the next release and make recommendations.
As is the case for VNC, at this time we recommend using SPICE from the management network in addition to limiting use to few individuals.