OpenVZ Forum


Home » General » Support » OpenVZ 7 - should I upgrade?
OpenVZ 7 - should I upgrade? [message #52595] Mon, 24 October 2016 15:44 Go to next message
mperkel is currently offline  mperkel
Messages: 252
Registered: December 2006
Senior Member
From: *dhcp.snlo.ca.charter.com
Been using OpenVZ for many years and love it. Just works. So - should I upgrade to OpenVZ 7? Only running Linux and wondering ..

What is the migration path?
Is it worth it to migrate?
Any downside to upgrading?

Just like to get an overview of version 7.


Re: OpenVZ 7 - should I upgrade? [message #52596 is a reply to message #52595] Mon, 24 October 2016 16:09 Go to previous messageGo to next message
dowdle is currently offline  dowdle
Messages: 261
Registered: December 2005
Location: Bozeman, Montana
Senior Member
From: *msu.montana.edu
Your upgrade path would be to create a new OpenVZ 7 host and migrate any existing containers to it.

Rather than doing it blindly, you are strongly recommended to check out the documentation for 7 here:

https://docs.openvz.org/

In particular, read the Readme to see what's new and known issues and restrictions. Some current significant restrictions include:

- Private networks are not supported.
- Basic firewall is not supported.

For some, those will be a deal breaker until the limitations are overcome.


--
TYL, Scott Dowdle
Belgrade, Montana, USA
Re: OpenVZ 7 - should I upgrade? [message #52712 is a reply to message #52596] Wed, 11 January 2017 20:01 Go to previous messageGo to next message
williamt is currently offline  williamt
Messages: 5
Registered: April 2011
Junior Member
From: *noc.sonic.net
What exactly does this mean? iptables isn't supported?
What are private networks in this context?

- Private networks are not supported.
- Basic firewall is not supported.
Re: OpenVZ 7 - should I upgrade? [message #52728 is a reply to message #52596] Mon, 06 February 2017 15:59 Go to previous messageGo to next message
A(r|d)min is currently offline  A(r|d)min
Messages: 4
Registered: February 2017
Junior Member
From: 89.106.185*
Also I would be interested (like williamt) in details of the private network restriction. Can someone explain or provide a link to the related documentation?

As I read in the documentation, it's only possible to add bridged interfaces to a VE. This is additionally to the host-routed network which is used by a VE by default. Is this the mentioned restriction?
Re: OpenVZ 7 - should I upgrade? [message #52755 is a reply to message #52595] Thu, 02 March 2017 18:49 Go to previous messageGo to next message
samiam123 is currently offline  samiam123
Messages: 5
Registered: March 2017
Junior Member
From: *bchsia.telus.net
I am at a crossroads with this as well. It is not clear to me yet whether I should upgrade to OpenVZ v7 or LXC + KVM.

I think OpenVZ made a mistake to use their own operating system with VZ7. LXC can use CentOS or Debian or Ubuntu etc. So that is most likely going to make that a more widely adopted platform. However, I think both are unstable right now so there is still no clear winner. It looks like LXC is more of an open source project and will have more tools like for backup. OpenVZ is still mostly just Parallels corporation and is trying to encourage commercial adoption by limiting the tools that OpenVZ gets.

Parallels have very good kernel engineers. So I can't count them out. I will need to make a decision soon because OVZ 6 is approaching end of life.
Re: OpenVZ 7 - should I upgrade? [message #52757 is a reply to message #52728] Thu, 02 March 2017 19:58 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 464
Registered: January 2006
Location: Moscow, Russia
Senior Member
From: *qwerty.ru
A(r|d)min wrote on Mon, 06 February 2017 18:59
Also I would be interested (like williamt) in details of the private network restriction. Can someone explain or provide a link to the related documentation?

As I read in the documentation, it's only possible to add bridged interfaces to a VE. This is additionally to the host-routed network which is used by a VE by default. Is this the mentioned restriction?


No, this is not about iptables or bridged/host-routed networking, please see the feature description in Virtuozzo version 6:

http://updates.virtuozzo.com/doc/pcs/en_us/virtuozzo/6/curre nt/html/Virtuozzo_Users_Guide/33573.htm

Hope that helps.


If you problem is solved - please, report it!
It's even more important than reporting the problem itself...
Re: OpenVZ 7 - should I upgrade? [message #52762 is a reply to message #52755] Wed, 08 March 2017 16:41 Go to previous messageGo to next message
ehab is currently offline  ehab
Messages: 15
Registered: February 2007
Junior Member
From: *32.119.142.tedata.net
Personally i am planning to migrate to lxc, it is in main line kernel

Re: OpenVZ 7 - should I upgrade? [message #52765 is a reply to message #52762] Wed, 08 March 2017 17:20 Go to previous messageGo to next message
samiam123 is currently offline  samiam123
Messages: 5
Registered: March 2017
Junior Member
From: *bchsia.telus.net
I am looking at it. The problem is that it is not secure at the moment. Not even close. That is why nobody is using it for hosting. It's only good enough for internal use where security is not a concern.

I think OpenVZ7 is currently much more secure. However, I don't think it is stable enough for production yet.

[Updated on: Wed, 08 March 2017 17:21]

Report message to a moderator

Re: OpenVZ 7 - should I upgrade? [message #52766 is a reply to message #52595] Fri, 10 March 2017 15:40 Go to previous messageGo to next message
tomp is currently offline  tomp
Messages: 64
Registered: August 2007
Member
From: 93.89.138*
I am facing the same decision. Have been using OpenVZ since CentOS 5, and am now running CentOS 6 for many years.

Very happy with OpenVZ 6.

But with only 2 years left on security support from CentOS, I need to start planning the replacement.

I have experimented with CentOS 7 and OpenVZ 7 using the unofficial upgrade script vzdeploy

https://marc.ttias.be/openvz-users/2016-08/msg00027.php
http://repo.virtuozzo.com/vzlinux/vzdeploy/vzdeploy

This does work, however I am left uneasy as it is an non-official approach.

I can't understand why OpenVZ team would not allow CentOS upgrades, given its worked fine for years, and that it makes installing it on remote hosts so much easier than using an ISO.

The other major problem for me is the lack of container level disk quotas when using simfs.

Simfs with quotas in OpenVZ 6 was great, along with vzmigrate and our own backup/restore system, things worked great.

However with simfs in OpenVZ 7 there is no quota, so I am now looking at options such as:

* LVM/LVM thin per container
* Ploop

Both approaches work, but present their own new set of challenges, LVM requires additional outside scripts for container creation and migration, and I have seen some pretty worrying comments about ploop's stability and efficiency. This worries me. https://github.com/pavel-odintsov/OpenVZ_ZFS/blob/master/plo op_issues.md

With all of these new requirements I began to look at LXC. LXC 2 is supported until June 2021.

I've managed to create an OpenVZ-like setup in LXC using LVM thin (and LXC's hook scripts), and proxy arp to give a venet like network config without bridging.

I am aware that in CentOS 7 there is not user namespace, so we cannot run unprivileged LXC containers, but as my usage is for internal systems (where root user is trusted) this is acceptable to me.

Also, root is also privileged in OpenVZ containers anyway.

[Updated on: Fri, 10 March 2017 15:44]

Report message to a moderator

Re: OpenVZ 7 - should I upgrade? [message #52767 is a reply to message #52766] Fri, 10 March 2017 15:59 Go to previous messageGo to next message
tomp is currently offline  tomp
Messages: 64
Registered: August 2007
Member
From: 93.89.138*
Actually there is beta support for user namespace in CentOS 7

https://github.com/procszoo/procszoo/wiki/How-to-enable-%22u ser%22-namespace-in-RHEL7-and-CentOS7%3F

Although it does need shadow-utils >= 4.2.1 whereas CentOS 7 has 4.1.5.1

This is needed to get a dedicated UID/GID range for a container.
Re: OpenVZ 7 - should I upgrade? [message #52768 is a reply to message #52766] Fri, 10 March 2017 17:44 Go to previous messageGo to next message
samiam123 is currently offline  samiam123
Messages: 5
Registered: March 2017
Junior Member
From: *bchsia.telus.net
I think ploop is the only way to go in OVZ7 containers. simfs support is there but basically deprecated with no more development. I think they already said it will not be there next major version change. It has been very reliable for me and makes things very easy to administer so I am sad to see that go.

That link talking about ploop problems is from 2015. I would be interested in a more current assessment since ploop has been under very active development the past 2 years.

The problem with unprivileged in CE7 appears to have more to do with systemd and some missing packages. So I think that will be there eventually.

Bottom line is neither LXC or OVZ7 appear ready yet. It's still not clear which direction everyone is going. OVZ7 basic DNA is more mature so I think it will be ready before LXC v1 is. It will be even longer before LXC v2 and LXD are ready.

[Updated on: Fri, 10 March 2017 17:48]

Report message to a moderator

Re: OpenVZ 7 - should I upgrade? [message #52769 is a reply to message #52768] Fri, 10 March 2017 18:25 Go to previous messageGo to next message
dowdle is currently offline  dowdle
Messages: 261
Registered: December 2005
Location: Bozeman, Montana
Senior Member
From: *msu.montana.edu
Regarding LXC, I'm in the #centos channel on the Freenode IRC network during regular MST business hours... and I have seen it mentioned in the channel several times that Red Hat and CentOS do not support LXC and consider it deprecated. If you want to support it yourself, that's fine.

--
TYL, Scott Dowdle
Belgrade, Montana, USA
Re: OpenVZ 7 - should I upgrade? [message #52770 is a reply to message #52769] Fri, 10 March 2017 18:50 Go to previous messageGo to next message
samiam123 is currently offline  samiam123
Messages: 5
Registered: March 2017
Junior Member
From: *bchsia.telus.net
Perhaps you are thinking of libvirt-lxc.

Does not stop you from running LXC as far as I know. A lot of what makes up LXC is built into the kernel.

[Updated on: Fri, 10 March 2017 18:52]

Report message to a moderator

Re: OpenVZ 7 - should I upgrade? [message #52771 is a reply to message #52770] Fri, 10 March 2017 20:36 Go to previous messageGo to next message
dowdle is currently offline  dowdle
Messages: 261
Registered: December 2005
Location: Bozeman, Montana
Senior Member
From: *msu.montana.edu
Again, I didn't say you couldn't run LXC (lxc is more userland)... just that Red Hat (and CentOS) don't care about it and don't want to help with it / support it, and refer to it (so far as they are concerned) as "deprecated".

--
TYL, Scott Dowdle
Belgrade, Montana, USA
Re: OpenVZ 7 - should I upgrade? [message #52772 is a reply to message #52771] Sat, 11 March 2017 14:57 Go to previous messageGo to next message
tomp is currently offline  tomp
Messages: 64
Registered: August 2007
Member
From: *idnet.net
Although CentOS 7 does have usernamespace as a tech preview, and you can get an LXC container running as unprivileged.

It has a problem (as does docker too) that if you try and install an RPM that tries to set a capability on a file (e.g. mtr or httpd) it fails to install the RPM.

This is because right now the kernel doesn't allow set_file_cap from within a user namespace:

https://lkml.org/lkml/2016/11/19/158

Its frustrating as right now the decision is between:

* CentOS 6 & OpenVZ 6 - custom kernel, stable, but, with only 2 years left
* CentOS 7 & OpenVZ 7 - unsupported installation process (vzdeploy), no SIMFS quotas, need to use potentially problematic ploop and custom kernel
* CentOS 7 & LXC - vanilla kernel, long security updates, need to maintain own LXC package (supported until 2021), need to use some sort of LVM for disk quotas


What a pickle! Rolling Eyes
Re: OpenVZ 7 - should I upgrade? [message #52774 is a reply to message #52772] Mon, 13 March 2017 19:46 Go to previous message
samiam123 is currently offline  samiam123
Messages: 5
Registered: March 2017
Junior Member
From: *bchsia.telus.net
I think OVZ7 is the way to go as of today. Not saying it's production ready yet or that LXC won't catch up or that LXD won't get there someday. Just as of today it looks like the way things 'may' be heading. Pretty sure it is much more secure in a hosting environment as of today compared to LXC.

Solus and Virtualizor both have beta OVZ 7 support now. Emphasis on "beta". Maybe even more like alpha.

[Updated on: Mon, 13 March 2017 19:48]

Report message to a moderator

Previous Topic: Kernel of Openvz7 support DRBD
Next Topic: openvz-diff-backups: a file-based incremental backup tool (Beta Testers Welcome!)
Goto Forum:
  


Current Time: Fri Mar 24 17:47:20 GMT 2017