[openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
Dmitry Guryanov
dguryanov at parallels.com
Sat Feb 21 14:08:45 UTC 2015
Let's put off this cleanup to L release. There is a problem with mounting loop device with enabled user namespaces. so we can't commit the change and broke containers with user namespaces.
I going on vacation until 6th march, when I'll return I'm going to learn LXC code and figure out, what should be done so that containers with user namespaces will start from images over loop devices.
________________________________________
От: Dmitry Guryanov <dguryanov at parallels.com>
Отправлено: 16 февраля 2015 г. 16:46
Кому: Daniel P. Berrange
Копия: OpenStack Development Mailing List (not for usage questions); openstack-operators at lists.openstack.org
Тема: Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
On 02/16/2015 04:36 PM, Daniel P. Berrange wrote:
> On Mon, Feb 16, 2015 at 04:31:21PM +0300, Dmitry Guryanov wrote:
>> On 02/13/2015 05:50 PM, Jay Pipes wrote:
>>> On 02/13/2015 09:20 AM, Daniel P. Berrange wrote:
>>>> On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote:
>>>>> On 02/13/2015 07:04 AM, Daniel P. Berrange wrote:
>>>>>> Historically Nova has had a bunch of code which mounted images on the
>>>>>> host OS using qemu-nbd before passing them to libvirt to setup the
>>>>>> LXC container. Since 1.0.6, libvirt is able todo this itself and it
>>>>>> would simplify the codepaths in Nova if we can rely on that
>>>>>>
>>>>>> In general, without use of user namespaces, LXC can't really be
>>>>>> considered secure in OpenStack, and this already requires libvirt
>>>>>> version 1.1.1 and Nova Juno release.
>>>>>>
>>>>>> As such I'd be surprised if anyone is running OpenStack with libvirt
>>>>>> & LXC in production on libvirt < 1.1.1 as it would be pretty insecure,
>>>>>> but stranger things have happened.
>>>>>>
>>>>>> The general libvirt min requirement for LXC, QEMU and KVM currently
>>>>>> is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt,
>>>>>> but feel it is worth increasing the LXC min libvirt to 1.0.6
>>>>>>
>>>>>> So would anyone object if we increased min libvirt to 1.0.6 when
>>>>>> running the LXC driver ?
>> Thanks for raising the question, Daniel!
>>
>> Since there are no objections, I'd like to make 1.1.1 the minimal required
>> version. Let's also make parameters uid_maps and gid_maps mandatory and
>> always add them to libvirt XML.
> I think it is probably not enough prior warning to actually turn on user
> namespace by default in Kilo. So I think what we should do for Kilo is to
> issue a warning message on nova startup if userns is not enabled in the
> config, telling users that this will become mandatory in Liberty. Then
> when Liberty dev opens, we make it mandatory.
>
> Regards,
> Daniel
OK, seems reasonable.
--
Dmitry Guryanov
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list