[Bug 1656847] Re: neutron security group rules not applied to nova-lxd containers
Launchpad Bug Tracker
1656847 at bugs.launchpad.net
Fri Feb 10 00:54:29 UTC 2017
This bug was fixed in the package nova-lxd - 13.2.0-0ubuntu1.16.04.1
nova-lxd (13.2.0-0ubuntu1.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: ensure correct application of security group rules.
- d/p/host-device-naming.patch: Cherry pick fix to ensure that the
host part of the veth pair used to wire LXD containers into neutron
has the correct naming, resolving issues with application of
neutron security group rules in container deployments (LP: #1656847).
- CVE not yet assigned
-- James Page <james.page at ubuntu.com> Tue, 07 Feb 2017 17:06:46 +0100
** Changed in: nova-lxd (Ubuntu Xenial)
Status: Confirmed => Fix Released
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova-lxd in Ubuntu.
neutron security group rules not applied to nova-lxd containers
Status in nova-lxd:
Status in nova-lxd package in Ubuntu:
Status in nova-lxd source package in Xenial:
Status in nova-lxd source package in Yakkety:
Status in nova-lxd source package in Zesty:
I noted this when testing the changes for lxd:isolated in Ubuntu
Xenial; neutron sets up iptables rules against tap devices (as used in
the libvirt driver); however nova-lxd does not use tap devices - LXD
plumbs the instance in to the neutron bridge using an veth pair.
I think the net result of this is that security rules are just not
getting applied in LXD instances.
To manage notifications about this bug go to:
More information about the Ubuntu-openstack-bugs