[lxc-users] nova-lxd does not support security group?

Thu Jun 9 04:55:26 UTC 2016

Hi,

I've changed security group of LXD instance on OpenStack, but no effect.

- still can access to LXD instance
- no change iptables -nL on compute node of LXD instance
- no log message from neutron linuxbridge agent

nova-lxd does not support security group?

* Environment

Ubuntu 16.04
OpenStack Mitaka
lxd 2.0.2-0ubuntu1~16.04.1
nova-compute-lxd 13.0.0-0ubuntu3

* Reproduce

create security group `allow-SSH` which allows only SSH access.

$ nova secgroup-list-rules allow-SSH
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

change security group of LXD instance into this `allow-SSH`.

$ nova remove-secgroup lxd1 default
$ nova add-secgroup lxd1 allow-SSH
$ nova list-secgroup lxd1
+--------------------------------------+-----------+-------------+
| Id                                   | Name      | Description |
+--------------------------------------+-----------+-------------+
| 665407b4-aac0-4d41-afba-7476a2bedb75 | allow-SSH |             |
+--------------------------------------+-----------+-------------+

then, still can ping to LXD instance.

`allow-SSH` rule does not exist in iptables -nL on LXD compute node.

# iptables -nL | grep 22
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0

No log message in /var/log/neutron/neutron-linuxbridge-agent.log.

2016-06-09 13:32:16.141 14315 INFO neutron.agent.securitygroups_rpc
[req-5df0f708-166d-4589-9ef0-0b0a475f6046
0980e79abec74a83a4c315bf9cc280be 98efb10842184d05aab967d266610958 - -
-] Security group member updated
[u'665407b4-aac0-4d41-afba-7476a2bedb75']

On the other hand, /var/log/neutron/neutron-linuxbridge-agent.log on
KVM compute node is following:

2016-06-09 13:02:49.205 2392 INFO neutron.agent.securitygroups_rpc [req-4901c8c9
-5440-4a88-b07a-1fa11bb3ef7c 0980e79abec74a83a4c315bf9cc280be 98efb10842184d05aa
b967d266610958 - - -] Security group member updated [u'e0e48207-8657-4c1a-ba5a-f
4e8b4432a3b']
2016-06-09 13:02:51.095 2392 INFO neutron.agent.securitygroups_rpc [req-d507249c
-6946-46f6-9258-b4b173e7568f - - - - -] Refresh firewall rules
2016-06-09 13:02:51.829 2392 INFO neutron.plugins.ml2.drivers.agent._common_agen
t [req-d507249c-6946-46f6-9258-b4b173e7568f - - - - -] Port tap7397d348-f5 updat
ed. Details: {u'profile': {}, u'network_qos_policy_id': None, u'qos_policy_id':
None, u'allowed_address_pairs': [], u'admin_state_up': True, u'network_id': u'd3
cfb761-7be2-4f53-99df-c911e2842a84', u'segmentation_id': 7, u'device_owner': u'c
ompute:nova', u'physical_network': None, u'mac_address': u'fa:16:3e:5e:ba:11', u
'device': u'tap7397d348-f5', u'port_security_enabled': True, u'port_id': u'7397d
348-f5e9-428b-9800-bb09927a8c34', u'fixed_ips': [{u'subnet_id': u'894fe18b-b67b-
4909-a0cd-8f904c87b104', u'ip_address': u'192.168.201.53'}], u'network_type': u'
vxlan', u'security_groups': []}