[Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
Jay Pipes
jaypipes at gmail.com
Fri Feb 13 13:49:26 UTC 2015
On 02/13/2015 07:04 AM, Daniel P. Berrange wrote:
> Historically Nova has had a bunch of code which mounted images on the
> host OS using qemu-nbd before passing them to libvirt to setup the
> LXC container. Since 1.0.6, libvirt is able todo this itself and it
> would simplify the codepaths in Nova if we can rely on that
>
> In general, without use of user namespaces, LXC can't really be
> considered secure in OpenStack, and this already requires libvirt
> version 1.1.1 and Nova Juno release.
>
> As such I'd be surprised if anyone is running OpenStack with libvirt
> & LXC in production on libvirt < 1.1.1 as it would be pretty insecure,
> but stranger things have happened.
>
> The general libvirt min requirement for LXC, QEMU and KVM currently
> is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt,
> but feel it is worth increasing the LXC min libvirt to 1.0.6
>
> So would anyone object if we increased min libvirt to 1.0.6 when
> running the LXC driver ?
Why not 1.1.1?
Best,
-jay
More information about the OpenStack-operators
mailing list