The following document describe a feature that allows securing the console access through CloudStack to the virtual machines running on KVM. The secure access is achieved through the generated certificates for the CA Framework in CloudStack, that provides mutual TLS connections between agents. These certificates are used to also secure the connection between the console proxies and the VNC ports for VM console access.
This feature is only supported on the KVM hypervisor
QEMU provides a mechanism to secure the VNC traffic for the virtual machines console access, through certificate authority and server certificates. CloudStack already supports the Certificate Authority method on the KVM, CPVM and SSVM agents. To configure the VNC connections for TLS using the existing certificates it is needed to copy the CA certificate, server certificate and private key for the server certificate to a location in the filesystem but with a special naming. In this example, we are assuming that the certificates are copied into the ‘/etc/pki/libvirt-vnc’ directory on each KVM host:
After setting up the certificates, the administrator needs to modify the /etc/libvirt/qemu.conf file:
The administrator must ensure the qemu process can access the certificates directory, providing the necessary privileges (if needed). After that, the last step of the configuration is a restart of the libvirt daemon service.
The complete guide can be found on: https://wiki.libvirt.org/page/VNCTLSSetup
The RFB protocol (https://www.rfc-editor.org/rfc/rfc6143.html) is the protocol used to establish VNC communications, allowing to connect remotely to virtual machines consoles. The implementation of this feature required the upgrade of the supported RFB protocol on the console proxy VMs from version 3.3 to 3.8.
Prior to this feature, the CloudStack console proxies supported the version 3.3 of the RFB protocol. The version 3.3 does not provide any encrypted security type. The only security type provided by the version 3.3 is the VM password authentication. By enabling the TLS on the VNC traffic through QEMU, then the security type provided by the VNC ports included a security type called VEncrypt (https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt). VEncrypt as a security type provides multiple security types:
Code | Name | Description |
---|---|---|
256 | Plain | Plain authentication |
257 | TLSNone | TLS encryption with no authentication |
258 | TLSVnc | TLS encryption with VNC authentication |
259 | TLSPlain | TLS encryption with Plain authentication |
260 | X509None | X509 encryption with no authentication |
261 | X509Vnc | X509 encryption with VNC authentication |
262 | X509Plain | X509 encryption with Plain authentication |
263 | TLSSASL | TLS encryption with SASL authentication |
264 | X509SASL | X509 encryption with SASL authentication |
The security type offered by QEMU when enabling TLS and the X509 verification is the type 261: X509 encryption with VM password authentication
This feature work along with the CA Framework in CloudStack. The QEMU/libvirt configuration is automatically triggered on the KVM hosts when the hosts are secured with the CA Framework certificates:
Once the administrator concludes certificates provisioning on Cloudstack, the VM console access for new VMs on the hosts will be encrypted. CloudStack displays the console of the virtual machines though the noVNC viewer embedded on the console proxy VMs.
The CloudStack users will notice the encrypted VNC sessions display a green bar stating the session is encrypted as in the image below. Also, the tab title includes ‘(TLS backend)’ when the session is encrypted.