[Bug 1656847] Re: neutron security group rules not applied to nova-lxd containers
Tyler Hicks
tyhicks at canonical.com
Tue Feb 7 17:02:23 UTC 2017
Thanks for the debdiff, James!
It looks good to me. I only added one line to the changelog mentioning
that a CVE has not yet been assigned.
The build log comparison between the patched and unpatched nova-lxd
xenial packages looks good. I've uploaded the package to the public
security-proposed PPA:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
The binary packages are being published in the PPA as I type. Please do
QA on the nova-lxd packages in the PPA, as they will be copied to
xenial-security, and report the results in this bug.
Since the fix is public, I'm going to make this bug public and request a
CVE on the oss-security list.
** Changed in: nova-lxd (Ubuntu Xenial)
Status: Triaged => Confirmed
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova-lxd in Ubuntu.
https://bugs.launchpad.net/bugs/1656847
Title:
neutron security group rules not applied to nova-lxd containers
Status in nova-lxd:
In Progress
Status in nova-lxd package in Ubuntu:
Fix Released
Status in nova-lxd source package in Xenial:
Confirmed
Status in nova-lxd source package in Yakkety:
Fix Released
Status in nova-lxd source package in Zesty:
Fix Released
Bug description:
I noted this when testing the changes for lxd:isolated in Ubuntu
Xenial; neutron sets up iptables rules against tap devices (as used in
the libvirt driver); however nova-lxd does not use tap devices - LXD
plumbs the instance in to the neutron bridge using an veth pair.
I think the net result of this is that security rules are just not
getting applied in LXD instances.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova-lxd/+bug/1656847/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list