Date: November 14, 2025
Implementation: Phase 1 (Immediate Hotfix)
Reference: ADR-0015 - Remote Desktop Architecture Decision
Phase 1 fail-fast protection has been successfully implemented to prevent CentOS Stream 10 / RHEL 10 systems from failing with cryptic package errors when remote desktop features are enabled. The implementation provides clear, actionable error messages that explain the architectural changes, security constraints, and workarounds.
-
roles/kvmhost_setup/defaults/main.yml- Added
enable_vncvariable (default:true) - Documented RHEL version behavior differences
- Added reference to ADR-0015
- Added
-
roles/kvmhost_setup/tasks/rhpds_instance.yml- Added fail-fast task that blocks RHEL 10 when
enable_vnc: true - Updated all VNC/RDP tasks with version guards (
kvmhost_os_major_version < 10) - Added proper tagging for remote_desktop, vnc, security, and adr_0015
- Added fail-fast task that blocks RHEL 10 when
-
tests/test-rhel10-vnc-protection.yml- Created comprehensive test playbook
- Validates behavior on RHEL 8/9 vs RHEL 10
- Tests both
enable_vnc: trueandenable_vnc: falsescenarios
-
ADR-0008: RHEL 9 and RHEL 10 Support Strategy
- Added RHEL 10 Critical Architectural Changes section
- Updated support matrix with remote desktop column
- Added Remote Desktop Strategy with Phase 1/Phase 2 approach
- Added 10 external references with citations
-
ADR-0015: Remote Desktop Architecture Decision (NEW)
- Complete architectural decision record
- Detailed technical context and SELinux blocker analysis
- Two-phase implementation strategy
- Full code examples for both phases
- 10 external references documented
-
docs/archive/adrs/README.md- Added ADR-0015 to index
- Created new Security category
- Updated status summary (13 accepted ADRs)
When enable_vnc: true is set on a RHEL 10 system, the playbook now fails with this clear message:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❌ FATAL: Remote Desktop (enable_vnc: true) is NOT supported on RHEL 10
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Platform: CentOS 10.0
🔴 WHY THIS FAILED:
RHEL 10 / CentOS Stream 10 deprecates the X.Org display server and removes
VNC/X11-based remote access packages (tigervnc-server, xrdp).
The new RDP-based architecture (gnome-remote-desktop) is currently BLOCKED
by Red Hat Bugzilla 2271661: SELinux incompatibility in enforcing mode.
🔒 SECURITY-FIRST PRINCIPLE:
This collection prioritizes KVM hypervisor security and will NOT disable
SELinux. SELinux provides sVirt isolation for virtual machines, which is
essential for secure multi-tenant virtualization.
📋 WORKAROUND:
Set 'enable_vnc: false' in your inventory for RHEL 10 hosts.
📚 REFERENCES:
- ADR-0015: Remote Desktop Architecture Decision
- Red Hat BZ 2271661: gnome-remote-desktop SELinux incompatibility
- RHEL 10 will be supported when the SELinux policy is fixed upstream
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VNC packages are now conditionally installed based on OS version:
- name: Install tigervnc-server and xrdp packages (RHEL 8/9 only)
ansible.builtin.dnf:
name:
- tigervnc-server
- xrdp
state: present
when:
- enable_vnc | default(true) | bool
- kvmhost_os_major_version | int < 10| OS Version | enable_vnc | Behavior |
|---|---|---|
| RHEL 8 | true | ✅ VNC packages installed, services started |
| RHEL 8 | false | ⏭️ VNC installation skipped |
| RHEL 9 | true | ✅ VNC packages installed, services started |
| RHEL 9 | false | ⏭️ VNC installation skipped |
| RHEL 10 | true | ❌ Playbook fails with security-first error |
| RHEL 10 | false | ✅ VNC installation skipped, playbook continues |
Platform: Rocky Linux 9.6
Test Date: November 14, 2025
Status: ✅ PASSED
Test playbook (tests/test-rhel10-vnc-protection.yml) successfully validates:
- ✅ OS detection correctly identifies Rocky 9
- ✅
kvmhost_os_major_versioncorrectly set to9 - ✅ Fail-fast task correctly skipped on RHEL 9
- ✅ VNC installation would proceed on RHEL 9 when
enable_vnc: true - ✅ Test scenarios correctly simulate RHEL 10 behavior
PLAY RECAP ********************************************************************
localhost : ok=22 changed=0 unreachable=0 failed=0 skipped=2
Key Validations:
- OS detection tasks: 17 tasks completed
- Test scenarios: 3 scenarios validated
- No failures or errors
-
Clear User Communication: Users attempting RHEL 10 deployments receive immediate, actionable feedback instead of cryptic package errors
-
Security-First Approach: Collection refuses to compromise SELinux security, maintaining sVirt protection for KVM workloads
-
Backward Compatibility: Existing RHEL 8/9 deployments continue to work without any changes
-
Future-Proof: Infrastructure in place for Phase 2 automatic enablement when SELinux fix ships
-
Documentation Excellence: Comprehensive ADRs provide context, reasoning, and implementation guidance
-
Idempotent Design: No changes to existing behavior on supported platforms
Before Phase 1:
FAILED! => {"msg": "No package tigervnc-server available."}
(User confused, no context, unclear how to proceed)
After Phase 1:
❌ FATAL: Remote Desktop (enable_vnc: true) is NOT supported on RHEL 10
🔴 WHY THIS FAILED: [clear architectural explanation]
🔒 SECURITY-FIRST PRINCIPLE: [security reasoning]
📋 WORKAROUND: Set 'enable_vnc: false'
📚 REFERENCES: [ADR-0015, BZ 2271661]
(User informed, understands context, knows exact workaround)
-
RHEL 10 Remote Desktop: Not supported until Red Hat ships SELinux policy fix for BZ 2271661
-
Manual Workaround Required: RHEL 10 users must explicitly set
enable_vnc: falsein inventory -
No RDP Alternative: Phase 2 implementation pending (requires upstream SELinux fix)
Phase 2 will be implemented when Red Hat resolves BZ 2271661. The implementation is fully designed in ADR-0015 and includes:
-
Variable Refactoring
- Deprecate
enable_vnc→ introduceenable_remote_desktop - Add RDP credential management variables
- Deprecate
-
Platform-Specific Task Branches
remote_desktop_el8_el9.yml- Legacy VNC/X11 stackremote_desktop_el10.yml- New RDP/Wayland stack with SELinux checking
-
SELinux Policy Version Detection
- Query
selinux-policypackage version - Compare against version containing BZ 2271661 fix
- Auto-enable when fix detected
- Query
-
Five-Step gnome-remote-desktop Automation
- Package installation
- TLS certificate generation
- grdctl configuration
- Service enablement
- Firewall configuration
-
Security-First Failure Mode
- Refuse to enable if SELinux policy not fixed
- Provide clear dnf update instructions
- Never suggest disabling SELinux
- ADR-0008: RHEL 9 and RHEL 10 Support Strategy
- ADR-0015: Remote Desktop Architecture Decision (VNC to RDP Migration)
- Red Hat Bugzilla 2271661: gnome-remote-desktop SELinux incompatibility
- FINDINGS.md: Original research and analysis
- RHEL 10 Documentation: Xorg deprecation, Wayland transition, gnome-remote-desktop
roles/kvmhost_setup/defaults/main.yml- Variable definitionsroles/kvmhost_setup/tasks/rhpds_instance.yml- Fail-fast implementationtests/test-rhel10-vnc-protection.yml- Validation test
Phase 1 implementation successfully achieves the goal of fail-fast protection for RHEL 10 systems. The implementation prioritizes:
- ✅ Security: No compromise on SELinux enforcement
- ✅ Clarity: Clear, actionable error messages
- ✅ Compatibility: Backward compatible with RHEL 8/9
- ✅ Forward-Looking: Infrastructure ready for Phase 2
The collection now provides a production-ready safety net that guides users toward correct configuration while maintaining the highest security standards for KVM hypervisor deployments.
Implementation Team: Cascade AI
Review Status: Ready for Review
Deployment Status: Ready for Testing on CentOS Stream 10
Approved By: Pending Project Maintainer Review