Short-lived depends on the configured TTL (default is 10 minutes) and they are unintentionally leaked in the INFO logs of the nova-novncproxy console proxy service [1], which does not run on the hypervisor. It's a separate service that is run on a per cell basis.
For the websockify leak, it is not websockify that is directly responsible for the leak because their code is (and has always) logged the "Path" with which the websockify server was called. So, I don't think it's a bug on their part.
To explain the background: earlier this year, novnc made a change to their code to stop supporting built-in token query parameter forwarding to the websockify server. We proposed a partial revert [2] that was NACKed by the maintainers and their guidance was for us to embed our auth token into the "Path" query parameter instead, which is (and has always) been passed through to the websockify server code. There was no other way to get the token passed into websockify so that we could validate it in nova. However, when we made that change, the token began being logged as part of the normal "Path" logging. I personally can't think of another way to stop it other than to adjust our websockify server logging level config to WARN, if that is possible.
Short-lived depends on the configured TTL (default is 10 minutes) and they are unintentionally leaked in the INFO logs of the nova-novncproxy console proxy service [1], which does not run on the hypervisor. It's a separate service that is run on a per cell basis.
For the websockify leak, it is not websockify that is directly responsible for the leak because their code is (and has always) logged the "Path" with which the websockify server was called. So, I don't think it's a bug on their part.
To explain the background: earlier this year, novnc made a change to their code to stop supporting built-in token query parameter forwarding to the websockify server. We proposed a partial revert [2] that was NACKed by the maintainers and their guidance was for us to embed our auth token into the "Path" query parameter instead, which is (and has always) been passed through to the websockify server code. There was no other way to get the token passed into websockify so that we could validate it in nova. However, when we made that change, the token began being logged as part of the normal "Path" logging. I personally can't think of another way to stop it other than to adjust our websockify server logging level config to WARN, if that is possible.
[1] https:/ /docs.openstack .org/nova/ latest/ admin/remote- console- access. html#novnc- based-vnc- console /github. com/novnc/ noVNC/pull/ 1220
[2] https:/