On 02/13/2015 09:20 AM, Daniel P. Berrange wrote:
On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote:
On 02/13/2015 07:04 AM, Daniel P. Berrange wrote:
Historically Nova has had a bunch of code which mounted images on the
host OS using qemu-nbd before passing them to libvirt to setup the
LXC container. Since 1.0.6, libvirt is able todo this itself and it
would simplify the codepaths in Nova if we can rely on that
In general, without use of user namespaces, LXC can't really be
considered secure in OpenStack, and this already requires libvirt
version 1.1.1 and Nova Juno release.
As such I'd be surprised if anyone is running OpenStack with libvirt
& LXC in production on libvirt < 1.1.1 as it would be pretty insecure,
but stranger things have happened.
The general libvirt min requirement for LXC, QEMU and KVM currently
is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt,
but feel it is worth increasing the LXC min libvirt to 1.0.6
So would anyone object if we increased min libvirt to 1.0.6 when
running the LXC driver ?
Why not 1.1.1?
Well I was only going for what's the technical bare minimum to get
the functionality wrt disk image mounting.
If we wish to declare use of user namespace is mandatory with the
libvirt LXC driver, then picking 1.1.1 would be fine too.
Personally, I'd be +1 on 1.1.1. :)
-jay
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
