第16章 Managing instances

As a cloud administrator, you can monitor and manage the instances running on your cloud.

16.1. Securing connections to the VNC console of an instance

You can secure connections to the VNC console for an instance by configuring the allowed TLS ciphers and the minimum protocol version to enforce for incoming client connections to the VNC proxy service.

Procedure

  1. Log in to the undercloud as the stack user.
  2. Source the stackrc file:

    [stack@director ~]$ source ~/stackrc
  3. Open your Compute environment file.
  4. Configure the SSL/TLS ciphers to use for VNC console connections to instances:

    parameter_defaults:
      NovaVNCProxySSLCiphers: <ciphers>

    Replace <ciphers> with a colon-delimited list of the cipher suites to allow. Retrieve the list of available ciphers from openssl.

  5. Configure the minimum protocol version to use for VNC console connections to instances:

    parameter_defaults:
      ...
      NovaVNCProxySSLMinimumVersion: <version>

    Replace <version> with the minimum allowed SSL/TLS protocol version. Set to one of the following valid values:

    • default - Uses the underlying system OpenSSL defaults.
    • tlsv1_1
    • tlsv1_2
    • tlsv1_3
  6. Add your Compute environment file to the stack with your other environment files and deploy the overcloud:

    (undercloud)$ openstack overcloud deploy --templates \
      -e [your environment files]  \
      -e /home/stack/templates/<compute_environment_file>.yaml