[openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
Dmitry Guryanov
dguryanov at parallels.com
Mon Feb 16 13:46:01 UTC 2015
On 02/16/2015 04:36 PM, Daniel P. Berrange wrote:
> On Mon, Feb 16, 2015 at 04:31:21PM +0300, Dmitry Guryanov wrote:
>> On 02/13/2015 05:50 PM, Jay Pipes wrote:
>>> On 02/13/2015 09:20 AM, Daniel P. Berrange wrote:
>>>> On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote:
>>>>> On 02/13/2015 07:04 AM, Daniel P. Berrange wrote:
>>>>>> Historically Nova has had a bunch of code which mounted images on the
>>>>>> host OS using qemu-nbd before passing them to libvirt to setup the
>>>>>> LXC container. Since 1.0.6, libvirt is able todo this itself and it
>>>>>> would simplify the codepaths in Nova if we can rely on that
>>>>>>
>>>>>> In general, without use of user namespaces, LXC can't really be
>>>>>> considered secure in OpenStack, and this already requires libvirt
>>>>>> version 1.1.1 and Nova Juno release.
>>>>>>
>>>>>> As such I'd be surprised if anyone is running OpenStack with libvirt
>>>>>> & LXC in production on libvirt < 1.1.1 as it would be pretty insecure,
>>>>>> but stranger things have happened.
>>>>>>
>>>>>> The general libvirt min requirement for LXC, QEMU and KVM currently
>>>>>> is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt,
>>>>>> but feel it is worth increasing the LXC min libvirt to 1.0.6
>>>>>>
>>>>>> So would anyone object if we increased min libvirt to 1.0.6 when
>>>>>> running the LXC driver ?
>> Thanks for raising the question, Daniel!
>>
>> Since there are no objections, I'd like to make 1.1.1 the minimal required
>> version. Let's also make parameters uid_maps and gid_maps mandatory and
>> always add them to libvirt XML.
> I think it is probably not enough prior warning to actually turn on user
> namespace by default in Kilo. So I think what we should do for Kilo is to
> issue a warning message on nova startup if userns is not enabled in the
> config, telling users that this will become mandatory in Liberty. Then
> when Liberty dev opens, we make it mandatory.
>
> Regards,
> Daniel
OK, seems reasonable.
--
Dmitry Guryanov
More information about the OpenStack-dev
mailing list