| OpenVZ 7 - should I upgrade? [message #52595] |
Mon, 24 October 2016 15:44  |
mperkel
Messages: 253
Registered: December 2006
|
Senior Member |
|
|
Been using OpenVZ for many years and love it. Just works. So - should I upgrade to OpenVZ 7? Only running Linux and wondering ..
What is the migration path?
Is it worth it to migrate?
Any downside to upgrading?
Just like to get an overview of version 7.
Junk Email Filter
http://www.junkemailfilter.com
|
|
|
|
|
|
|
|
|
|
|
|
| Re: OpenVZ 7 - should I upgrade? [message #52757 is a reply to message #52728] |
Thu, 02 March 2017 19:58  |
khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
|
Senior Member |
|
|
A(r|d)min wrote on Mon, 06 February 2017 18:59Also I would be interested (like williamt) in details of the private network restriction. Can someone explain or provide a link to the related documentation?
As I read in the documentation, it's only possible to add bridged interfaces to a VE. This is additionally to the host-routed network which is used by a VE by default. Is this the mentioned restriction?
No, this is not about iptables or bridged/host-routed networking, please see the feature description in Virtuozzo version 6:
http://updates.virtuozzo.com/doc/pcs/en_us/virtuozzo/6/curre nt/html/Virtuozzo_Users_Guide/33573.htm
Hope that helps.
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|
|
|
|
| Re: OpenVZ 7 - should I upgrade? [message #52765 is a reply to message #52762] |
Wed, 08 March 2017 17:20 |
samiam123
Messages: 15
Registered: March 2017
|
Junior Member |
|
|
I am looking at it. The problem is that it is not secure at the moment. Not even close. That is why nobody is using it for hosting. It's only good enough for internal use where security is not a concern.
I think OpenVZ7 is currently much more secure. However, I don't think it is stable enough for production yet.
[Updated on: Wed, 08 March 2017 17:21] Report message to a moderator |
|
|
|
| Re: OpenVZ 7 - should I upgrade? [message #52766 is a reply to message #52595] |
Fri, 10 March 2017 15:40 |
tomp
Messages: 64
Registered: August 2007
|
Member |
|
|
I am facing the same decision. Have been using OpenVZ since CentOS 5, and am now running CentOS 6 for many years.
Very happy with OpenVZ 6.
But with only 2 years left on security support from CentOS, I need to start planning the replacement.
I have experimented with CentOS 7 and OpenVZ 7 using the unofficial upgrade script vzdeploy
https://marc.ttias.be/openvz-users/2016-08/msg00027.php
http://repo.virtuozzo.com/vzlinux/vzdeploy/vzdeploy
This does work, however I am left uneasy as it is an non-official approach.
I can't understand why OpenVZ team would not allow CentOS upgrades, given its worked fine for years, and that it makes installing it on remote hosts so much easier than using an ISO.
The other major problem for me is the lack of container level disk quotas when using simfs.
Simfs with quotas in OpenVZ 6 was great, along with vzmigrate and our own backup/restore system, things worked great.
However with simfs in OpenVZ 7 there is no quota, so I am now looking at options such as:
* LVM/LVM thin per container
* Ploop
Both approaches work, but present their own new set of challenges, LVM requires additional outside scripts for container creation and migration, and I have seen some pretty worrying comments about ploop's stability and efficiency. This worries me. https://github.com/pavel-odintsov/OpenVZ_ZFS/blob/master/plo op_issues.md
With all of these new requirements I began to look at LXC. LXC 2 is supported until June 2021.
I've managed to create an OpenVZ-like setup in LXC using LVM thin (and LXC's hook scripts), and proxy arp to give a venet like network config without bridging.
I am aware that in CentOS 7 there is not user namespace, so we cannot run unprivileged LXC containers, but as my usage is for internal systems (where root user is trusted) this is acceptable to me.
Also, root is also privileged in OpenVZ containers anyway.
[Updated on: Fri, 10 March 2017 15:44] Report message to a moderator |
|
|
|
|
|
| Re: OpenVZ 7 - should I upgrade? [message #52768 is a reply to message #52766] |
Fri, 10 March 2017 17:44 |
samiam123
Messages: 15
Registered: March 2017
|
Junior Member |
|
|
I think ploop is the only way to go in OVZ7 containers. simfs support is there but basically deprecated with no more development. I think they already said it will not be there next major version change. It has been very reliable for me and makes things very easy to administer so I am sad to see that go.
That link talking about ploop problems is from 2015. I would be interested in a more current assessment since ploop has been under very active development the past 2 years.
The problem with unprivileged in CE7 appears to have more to do with systemd and some missing packages. So I think that will be there eventually.
Bottom line is neither LXC or OVZ7 appear ready yet. It's still not clear which direction everyone is going. OVZ7 basic DNA is more mature so I think it will be ready before LXC v1 is. It will be even longer before LXC v2 and LXD are ready.
[Updated on: Fri, 10 March 2017 17:48] Report message to a moderator |
|
|
|
|
|
|
|
|
|
| Re: OpenVZ 7 - should I upgrade? [message #52772 is a reply to message #52771] |
Sat, 11 March 2017 14:57 |
tomp
Messages: 64
Registered: August 2007
|
Member |
|
|
Although CentOS 7 does have usernamespace as a tech preview, and you can get an LXC container running as unprivileged.
It has a problem (as does docker too) that if you try and install an RPM that tries to set a capability on a file (e.g. mtr or httpd) it fails to install the RPM.
This is because right now the kernel doesn't allow set_file_cap from within a user namespace:
https://lkml.org/lkml/2016/11/19/158
Its frustrating as right now the decision is between:
* CentOS 6 & OpenVZ 6 - custom kernel, stable, but, with only 2 years left
* CentOS 7 & OpenVZ 7 - unsupported installation process (vzdeploy), no SIMFS quotas, need to use potentially problematic ploop and custom kernel
* CentOS 7 & LXC - vanilla kernel, long security updates, need to maintain own LXC package (supported until 2021), need to use some sort of LVM for disk quotas
What a pickle! 
|
|
|
|
| Re: OpenVZ 7 - should I upgrade? [message #52774 is a reply to message #52772] |
Mon, 13 March 2017 19:46 |
samiam123
Messages: 15
Registered: March 2017
|
Junior Member |
|
|
I think OVZ7 is the way to go as of today. Not saying it's production ready yet or that LXC won't catch up or that LXD won't get there someday. Just as of today it looks like the way things 'may' be heading. Pretty sure it is much more secure in a hosting environment as of today compared to LXC.
Solus and Virtualizor both have beta OVZ 7 support now. Emphasis on "beta". Maybe even more like alpha.
[Updated on: Mon, 13 March 2017 19:48] Report message to a moderator |
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
