[Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?

Jay Pipes jaypipes at gmail.com
Fri Feb 13 14:50:45 UTC 2015


On 02/13/2015 09:20 AM, Daniel P. Berrange wrote:
> On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote:
>> On 02/13/2015 07:04 AM, Daniel P. Berrange wrote:
>>> Historically Nova has had a bunch of code which mounted images on the
>>> host OS using qemu-nbd before passing them to libvirt to setup the
>>> LXC container. Since 1.0.6, libvirt is able todo this itself and it
>>> would simplify the codepaths in Nova if we can rely on that
>>>
>>> In general, without use of user namespaces, LXC can't really be
>>> considered secure in OpenStack, and this already requires libvirt
>>> version 1.1.1 and Nova Juno release.
>>>
>>> As such I'd be surprised if anyone is running OpenStack with libvirt
>>> & LXC in production on libvirt < 1.1.1 as it would be pretty insecure,
>>> but stranger things have happened.
>>>
>>> The general libvirt min requirement for LXC, QEMU and KVM currently
>>> is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt,
>>> but feel it is worth increasing the LXC min libvirt to 1.0.6
>>>
>>> So would anyone object if we increased min libvirt to 1.0.6 when
>>> running the LXC driver ?
>>
>> Why not 1.1.1?
>
> Well I was only going for what's the technical bare minimum to get
> the functionality wrt disk image mounting.
>
> If we wish to declare use of user namespace is mandatory with the
> libvirt LXC driver, then picking 1.1.1 would be fine too.

Personally, I'd be +1 on 1.1.1. :)

-jay



More information about the OpenStack-operators mailing list