packaged by Chainguard
Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.
Minimal OpenStack Compute (Nova) libvirt sidecar image compatible with the upstream openstack.kolla/nova-libvirt image.
Chainguard Containers are regularly-updated, secure-by-default container images.
For those with access, this container image is available on cgr.dev:
Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.
Minimal, distroless OpenStack Compute (Nova) libvirt sidecar image compatible with the upstream openstack.kolla/nova-libvirt image. It is a drop-in replacement when consumed by kolla-ansible or kayobe.
The image follows the kolla startup contract: /usr/local/bin/kolla_start reads /var/lib/kolla/config_files/config.json, runs kolla_set_configs, then dispatches to the configured command (kolla_nova_libvirt_start, which runs virtlogd and libvirtd --listen).
Each image stream tracks the OpenStack release cycle (e.g. 2026.1 Gazpacho) and corresponds to the openstack-nova-<stream> apk package group, pinning to the matching libvirt and QEMU versions the upstream Kolla image installs at that release.
The image is configured entirely through kolla's config.json mechanism: mount your rendered configuration under /var/lib/kolla/config_files/ and set KOLLA_CONFIG_STRATEGY to COPY_ONCE (copy at first start) or COPY_ALWAYS (copy on every start). On boot, kolla_set_configs copies each entry to its destination with the requested ownership and permissions, then kolla_nova_libvirt_start brings up virtlogd + libvirtd.
In a real deployment you almost always drive this through kolla-ansible, pointing the nova-libvirt image at the Chainguard build:
kolla-ansible's nova-cell role deploys nova-libvirt alongside nova-compute on every compute host: the two containers share the host's /run/libvirt/ and /var/log/kolla/libvirt/ so nova-compute connects to libvirtd via qemu+unix:///system and per-VM console logs land under /var/log/kolla/libvirt/qemu/.
There is no upstream openstack-helm chart for nova-libvirt — kolla-ansible and kayobe deploy libvirt as a host-level container, separate from openstack-helm. Consumers needing Kubernetes-native libvirt should look at projects like KubeVirt instead.
Supply libvirt configuration via the config.json payload described above: a standard libvirtd.conf plus qemu.conf (and optional TLS material under /etc/pki/libvirt/). See the upstream kolla-ansible nova-cell role for canonical examples of the rendered configuration, and the libvirtd configuration reference for the complete set of options.
Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.
All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.
The main features of Chainguard Containers include:
For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.
In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.
Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.
To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.
To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.
Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.
This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.
Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:
( GPL-2.0-or-later
Apache-2.0
BSD-1-Clause
BSD-2-Clause
BSD-2-Clause-NetBSD
BSD-3-Clause
BSD-4-Clause-UC
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementChainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.
SLSA compliance at ChainguardThis image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.
PCI DSS at Chainguard