[Bug 1656847] Re: neutron security group rules not applied to nova-lxd containers
james.page at ubuntu.com
Thu Feb 9 09:50:57 UTC 2017
I've tested the package in the security proposed PPA; it resolves the
issue, host veth naming is aligned to neutron's expectation and security
group rules are correctly applied.
Note that the code changes don't update the host veth name for existing
instances; its possible todo this manually directly on compute hosts
(using lxd profile edit <instancename>) but it is a disruptive operation
as the instance will loose connectivity.
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova-lxd in Ubuntu.
neutron security group rules not applied to nova-lxd containers
Status in nova-lxd:
Status in nova-lxd package in Ubuntu:
Status in nova-lxd source package in Xenial:
Status in nova-lxd source package in Yakkety:
Status in nova-lxd source package in Zesty:
I noted this when testing the changes for lxd:isolated in Ubuntu
Xenial; neutron sets up iptables rules against tap devices (as used in
the libvirt driver); however nova-lxd does not use tap devices - LXD
plumbs the instance in to the neutron bridge using an veth pair.
I think the net result of this is that security rules are just not
getting applied in LXD instances.
To manage notifications about this bug go to:
More information about the Ubuntu-openstack-bugs