[Bug 1656847] Re: neutron security group rules not applied to nova-lxd containers

Tyler Hicks tyhicks at canonical.com
Tue Feb 7 17:02:23 UTC 2017

Thanks for the debdiff, James!

It looks good to me. I only added one line to the changelog mentioning
that a CVE has not yet been assigned.

The build log comparison between the patched and unpatched nova-lxd
xenial packages looks good. I've uploaded the package to the public
security-proposed PPA:


The binary packages are being published in the PPA as I type. Please do
QA on the nova-lxd packages in the PPA, as they will be copied to
xenial-security, and report the results in this bug.

Since the fix is public, I'm going to make this bug public and request a
CVE on the oss-security list.

** Changed in: nova-lxd (Ubuntu Xenial)
       Status: Triaged => Confirmed

** Information type changed from Private Security to Public Security

You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova-lxd in Ubuntu.

  neutron security group rules not applied to nova-lxd containers

Status in nova-lxd:
  In Progress
Status in nova-lxd package in Ubuntu:
  Fix Released
Status in nova-lxd source package in Xenial:
Status in nova-lxd source package in Yakkety:
  Fix Released
Status in nova-lxd source package in Zesty:
  Fix Released

Bug description:
  I noted this when testing the changes for lxd:isolated in Ubuntu
  Xenial; neutron sets up iptables rules against tap devices (as used in
  the libvirt driver); however nova-lxd does not use tap devices - LXD
  plumbs the instance in to the neutron bridge using an veth pair.

  I think the net result of this is that security rules are just not
  getting applied in LXD instances.

To manage notifications about this bug go to:

More information about the Ubuntu-openstack-bugs mailing list