Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
Let's put off this cleanup to L release. There is a problem with mounting loop device with enabled user namespaces. so we can't commit the change and broke containers with user namespaces. I going on vacation until 6th march, when I'll return I'm going to learn LXC code and figure out, what should be done so that containers with user namespaces will start from images over loop devices. От: Dmitry Guryanov dgurya...@parallels.com Отправлено: 16 февраля 2015 г. 16:46 Кому: Daniel P. Berrange Копия: OpenStack Development Mailing List (not for usage questions); openstack-operat...@lists.openstack.org Тема: Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ? On 02/16/2015 04:36 PM, Daniel P. Berrange wrote: On Mon, Feb 16, 2015 at 04:31:21PM +0300, Dmitry Guryanov wrote: On 02/13/2015 05:50 PM, Jay Pipes wrote: On 02/13/2015 09:20 AM, Daniel P. Berrange wrote: On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote: On 02/13/2015 07:04 AM, Daniel P. Berrange wrote: Historically Nova has had a bunch of code which mounted images on the host OS using qemu-nbd before passing them to libvirt to setup the LXC container. Since 1.0.6, libvirt is able todo this itself and it would simplify the codepaths in Nova if we can rely on that In general, without use of user namespaces, LXC can't really be considered secure in OpenStack, and this already requires libvirt version 1.1.1 and Nova Juno release. As such I'd be surprised if anyone is running OpenStack with libvirt LXC in production on libvirt 1.1.1 as it would be pretty insecure, but stranger things have happened. The general libvirt min requirement for LXC, QEMU and KVM currently is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt, but feel it is worth increasing the LXC min libvirt to 1.0.6 So would anyone object if we increased min libvirt to 1.0.6 when running the LXC driver ? Thanks for raising the question, Daniel! Since there are no objections, I'd like to make 1.1.1 the minimal required version. Let's also make parameters uid_maps and gid_maps mandatory and always add them to libvirt XML. I think it is probably not enough prior warning to actually turn on user namespace by default in Kilo. So I think what we should do for Kilo is to issue a warning message on nova startup if userns is not enabled in the config, telling users that this will become mandatory in Liberty. Then when Liberty dev opens, we make it mandatory. Regards, Daniel OK, seems reasonable. -- Dmitry Guryanov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
On Mon, Feb 16, 2015 at 04:31:21PM +0300, Dmitry Guryanov wrote: On 02/13/2015 05:50 PM, Jay Pipes wrote: On 02/13/2015 09:20 AM, Daniel P. Berrange wrote: On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote: On 02/13/2015 07:04 AM, Daniel P. Berrange wrote: Historically Nova has had a bunch of code which mounted images on the host OS using qemu-nbd before passing them to libvirt to setup the LXC container. Since 1.0.6, libvirt is able todo this itself and it would simplify the codepaths in Nova if we can rely on that In general, without use of user namespaces, LXC can't really be considered secure in OpenStack, and this already requires libvirt version 1.1.1 and Nova Juno release. As such I'd be surprised if anyone is running OpenStack with libvirt LXC in production on libvirt 1.1.1 as it would be pretty insecure, but stranger things have happened. The general libvirt min requirement for LXC, QEMU and KVM currently is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt, but feel it is worth increasing the LXC min libvirt to 1.0.6 So would anyone object if we increased min libvirt to 1.0.6 when running the LXC driver ? Thanks for raising the question, Daniel! Since there are no objections, I'd like to make 1.1.1 the minimal required version. Let's also make parameters uid_maps and gid_maps mandatory and always add them to libvirt XML. I think it is probably not enough prior warning to actually turn on user namespace by default in Kilo. So I think what we should do for Kilo is to issue a warning message on nova startup if userns is not enabled in the config, telling users that this will become mandatory in Liberty. Then when Liberty dev opens, we make it mandatory. Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
On 02/13/2015 05:50 PM, Jay Pipes wrote: On 02/13/2015 09:20 AM, Daniel P. Berrange wrote: On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote: On 02/13/2015 07:04 AM, Daniel P. Berrange wrote: Historically Nova has had a bunch of code which mounted images on the host OS using qemu-nbd before passing them to libvirt to setup the LXC container. Since 1.0.6, libvirt is able todo this itself and it would simplify the codepaths in Nova if we can rely on that In general, without use of user namespaces, LXC can't really be considered secure in OpenStack, and this already requires libvirt version 1.1.1 and Nova Juno release. As such I'd be surprised if anyone is running OpenStack with libvirt LXC in production on libvirt 1.1.1 as it would be pretty insecure, but stranger things have happened. The general libvirt min requirement for LXC, QEMU and KVM currently is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt, but feel it is worth increasing the LXC min libvirt to 1.0.6 So would anyone object if we increased min libvirt to 1.0.6 when running the LXC driver ? Thanks for raising the question, Daniel! Since there are no objections, I'd like to make 1.1.1 the minimal required version. Let's also make parameters uid_maps and gid_maps mandatory and always add them to libvirt XML. Why not 1.1.1? Well I was only going for what's the technical bare minimum to get the functionality wrt disk image mounting. If we wish to declare use of user namespace is mandatory with the libvirt LXC driver, then picking 1.1.1 would be fine too. Personally, I'd be +1 on 1.1.1. :) -jay __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Dmitry Guryanov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
On 02/16/2015 04:36 PM, Daniel P. Berrange wrote: On Mon, Feb 16, 2015 at 04:31:21PM +0300, Dmitry Guryanov wrote: On 02/13/2015 05:50 PM, Jay Pipes wrote: On 02/13/2015 09:20 AM, Daniel P. Berrange wrote: On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote: On 02/13/2015 07:04 AM, Daniel P. Berrange wrote: Historically Nova has had a bunch of code which mounted images on the host OS using qemu-nbd before passing them to libvirt to setup the LXC container. Since 1.0.6, libvirt is able todo this itself and it would simplify the codepaths in Nova if we can rely on that In general, without use of user namespaces, LXC can't really be considered secure in OpenStack, and this already requires libvirt version 1.1.1 and Nova Juno release. As such I'd be surprised if anyone is running OpenStack with libvirt LXC in production on libvirt 1.1.1 as it would be pretty insecure, but stranger things have happened. The general libvirt min requirement for LXC, QEMU and KVM currently is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt, but feel it is worth increasing the LXC min libvirt to 1.0.6 So would anyone object if we increased min libvirt to 1.0.6 when running the LXC driver ? Thanks for raising the question, Daniel! Since there are no objections, I'd like to make 1.1.1 the minimal required version. Let's also make parameters uid_maps and gid_maps mandatory and always add them to libvirt XML. I think it is probably not enough prior warning to actually turn on user namespace by default in Kilo. So I think what we should do for Kilo is to issue a warning message on nova startup if userns is not enabled in the config, telling users that this will become mandatory in Liberty. Then when Liberty dev opens, we make it mandatory. Regards, Daniel OK, seems reasonable. -- Dmitry Guryanov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] RFC: Increasing min libvirt to 1.0.6 for LXC driver ?
On 02/13/2015 09:20 AM, Daniel P. Berrange wrote: On Fri, Feb 13, 2015 at 08:49:26AM -0500, Jay Pipes wrote: On 02/13/2015 07:04 AM, Daniel P. Berrange wrote: Historically Nova has had a bunch of code which mounted images on the host OS using qemu-nbd before passing them to libvirt to setup the LXC container. Since 1.0.6, libvirt is able todo this itself and it would simplify the codepaths in Nova if we can rely on that In general, without use of user namespaces, LXC can't really be considered secure in OpenStack, and this already requires libvirt version 1.1.1 and Nova Juno release. As such I'd be surprised if anyone is running OpenStack with libvirt LXC in production on libvirt 1.1.1 as it would be pretty insecure, but stranger things have happened. The general libvirt min requirement for LXC, QEMU and KVM currently is 0.9.11. We're *not* proposing to change the QEMU/KVM min libvirt, but feel it is worth increasing the LXC min libvirt to 1.0.6 So would anyone object if we increased min libvirt to 1.0.6 when running the LXC driver ? Why not 1.1.1? Well I was only going for what's the technical bare minimum to get the functionality wrt disk image mounting. If we wish to declare use of user namespace is mandatory with the libvirt LXC driver, then picking 1.1.1 would be fine too. Personally, I'd be +1 on 1.1.1. :) -jay __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
