[openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?

Dmitry Guryanov dguryanov at parallels.com
Mon Feb 16 13:31:21 UTC 2015


On 02/13/2015 05:50 PM, Jay Pipes wrote:
> On 02/13/2015 09:20 AM, Daniel P. Berrange wrote:
>> On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote:
>>> On 02/13/2015 07:04 AM, Daniel P. Berrange wrote:
>>>> Historically Nova has had a bunch of code which mounted images on the
>>>> host OS using qemu-nbd before passing them to libvirt to setup the
>>>> LXC container. Since 1.0.6, libvirt is able todo this itself and it
>>>> would simplify the codepaths in Nova if we can rely on that
>>>>
>>>> In general, without use of user namespaces, LXC can't really be
>>>> considered secure in OpenStack, and this already requires libvirt
>>>> version 1.1.1 and Nova Juno release.
>>>>
>>>> As such I'd be surprised if anyone is running OpenStack with libvirt
>>>> & LXC in production on libvirt < 1.1.1 as it would be pretty insecure,
>>>> but stranger things have happened.
>>>>
>>>> The general libvirt min requirement for LXC, QEMU and KVM currently
>>>> is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt,
>>>> but feel it is worth increasing the LXC min libvirt to 1.0.6
>>>>
>>>> So would anyone object if we increased min libvirt to 1.0.6 when
>>>> running the LXC driver ?

Thanks for raising the question, Daniel!

Since there are no objections, I'd like to make 1.1.1 the minimal 
required version. Let's also make parameters uid_maps and gid_maps 
mandatory and always add them to libvirt XML.


>>>
>>> Why not 1.1.1?
>>
>> Well I was only going for what's the technical bare minimum to get
>> the functionality wrt disk image mounting.
>>
>> If we wish to declare use of user namespace is mandatory with the
>> libvirt LXC driver, then picking 1.1.1 would be fine too.
>
> Personally, I'd be +1 on 1.1.1. :)
>
> -jay
>
> __________________________________________________________________________ 
>
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-- 
Dmitry Guryanov




More information about the OpenStack-dev mailing list