OpenVZ Forum - RDF feed
https://new-forum.openvz.org/index.php
OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52595&th=13189#msg_52595
What is the migration path?
Is it worth it to migrate?
Any downside to upgrading?
Just like to get an overview of version 7.
]]>mperkel2016-10-24T15:44:00-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52596&th=13189#msg_52596
Rather than doing it blindly, you are strongly recommended to check out the documentation for 7 here:
In particular, read the Readme to see what's new and known issues and restrictions. Some current significant restrictions include:
- Private networks are not supported.
- Basic firewall is not supported.
For some, those will be a deal breaker until the limitations are overcome.]]>dowdle2016-10-24T16:09:30-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52712&th=13189#msg_52712
What are private networks in this context?
- Private networks are not supported.
- Basic firewall is not supported.]]>williamt2017-01-11T20:01:30-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52728&th=13189#msg_52728
As I read in the documentation, it's only possible to add bridged interfaces to a VE. This is additionally to the host-routed network which is used by a VE by default. Is this the mentioned restriction?]]>A(r|d)min2017-02-06T15:59:17-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52755&th=13189#msg_52755
I think OpenVZ made a mistake to use their own operating system with VZ7. LXC can use CentOS or Debian or Ubuntu etc. So that is most likely going to make that a more widely adopted platform. However, I think both are unstable right now so there is still no clear winner. It looks like LXC is more of an open source project and will have more tools like for backup. OpenVZ is still mostly just Parallels corporation and is trying to encourage commercial adoption by limiting the tools that OpenVZ gets.
Parallels have very good kernel engineers. So I can't count them out. I will need to make a decision soon because OVZ 6 is approaching end of life.]]>samiam1232017-03-02T18:49:43-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52757&th=13189#msg_52757
A(r|d)min wrote on Mon, 06 February 2017 18:59
Also I would be interested (like williamt) in details of the private network restriction. Can someone explain or provide a link to the related documentation?
As I read in the documentation, it's only possible to add bridged interfaces to a VE. This is additionally to the host-routed network which is used by a VE by default. Is this the mentioned restriction?
No, this is not about iptables or bridged/host-routed networking, please see the feature description in Virtuozzo version 6:
Hope that helps.]]>khorenko2017-03-02T19:58:28-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52762&th=13189#msg_52762
ehab2017-03-08T16:41:37-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52765&th=13189#msg_52765
I think OpenVZ7 is currently much more secure. However, I don't think it is stable enough for production yet.]]>samiam1232017-03-08T17:20:25-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52766&th=13189#msg_52766
Very happy with OpenVZ 6.
But with only 2 years left on security support from CentOS, I need to start planning the replacement.
I have experimented with CentOS 7 and OpenVZ 7 using the unofficial upgrade script vzdeploy
This does work, however I am left uneasy as it is an non-official approach.
I can't understand why OpenVZ team would not allow CentOS upgrades, given its worked fine for years, and that it makes installing it on remote hosts so much easier than using an ISO.
The other major problem for me is the lack of container level disk quotas when using simfs.
Simfs with quotas in OpenVZ 6 was great, along with vzmigrate and our own backup/restore system, things worked great.
However with simfs in OpenVZ 7 there is no quota, so I am now looking at options such as:
* LVM/LVM thin per container
* Ploop
Both approaches work, but present their own new set of challenges, LVM requires additional outside scripts for container creation and migration, and I have seen some pretty worrying comments about ploop's stability and efficiency. This worries me. https://github.com/pavel-odintsov/OpenVZ_ZFS/blob/master/plo op_issues.md
With all of these new requirements I began to look at LXC. LXC 2 is supported until June 2021.
I've managed to create an OpenVZ-like setup in LXC using LVM thin (and LXC's hook scripts), and proxy arp to give a venet like network config without bridging.
I am aware that in CentOS 7 there is not user namespace, so we cannot run unprivileged LXC containers, but as my usage is for internal systems (where root user is trusted) this is acceptable to me.
Also, root is also privileged in OpenVZ containers anyway.
Although it does need shadow-utils >= 4.2.1 whereas CentOS 7 has 4.1.5.1
This is needed to get a dedicated UID/GID range for a container.]]>tomp2017-03-10T15:59:20-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52768&th=13189#msg_52768
That link talking about ploop problems is from 2015. I would be interested in a more current assessment since ploop has been under very active development the past 2 years.
The problem with unprivileged in CE7 appears to have more to do with systemd and some missing packages. So I think that will be there eventually.
Bottom line is neither LXC or OVZ7 appear ready yet. It's still not clear which direction everyone is going. OVZ7 basic DNA is more mature so I think it will be ready before LXC v1 is. It will be even longer before LXC v2 and LXD are ready. ]]>samiam1232017-03-10T17:44:30-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52769&th=13189#msg_52769
dowdle2017-03-10T18:25:19-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52770&th=13189#msg_52770
Does not stop you from running LXC as far as I know. A lot of what makes up LXC is built into the kernel.]]>samiam1232017-03-10T18:50:23-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52771&th=13189#msg_52771
dowdle2017-03-10T20:36:57-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52772&th=13189#msg_52772
It has a problem (as does docker too) that if you try and install an RPM that tries to set a capability on a file (e.g. mtr or httpd) it fails to install the RPM.
This is because right now the kernel doesn't allow set_file_cap from within a user namespace:
Its frustrating as right now the decision is between:
* CentOS 6 & OpenVZ 6 - custom kernel, stable, but, with only 2 years left
* CentOS 7 & OpenVZ 7 - unsupported installation process (vzdeploy), no SIMFS quotas, need to use potentially problematic ploop and custom kernel
* CentOS 7 & LXC - vanilla kernel, long security updates, need to maintain own LXC package (supported until 2021), need to use some sort of LVM for disk quotas
What a pickle! ]]>tomp2017-03-11T14:57:29-00:00Re: OpenVZ 7 - should I upgrade?
https://new-forum.openvz.org/index.phpindex.php?t=rview&goto=52774&th=13189#msg_52774
Solus and Virtualizor both have beta OVZ 7 support now. Emphasis on "beta". Maybe even more like alpha.