Deploying to containers (lxc or lxd) using the Juju OpenStack provider results in units which are connected behind NAT on the lxc/lxd bridge. The units in containers are unreachable from outside that host instance, and are unreachable from other containers in the model.
The reproducer is simply:
juju deploy ubuntu
juju add-unit ubuntu --to lxd:0
juju add-unit ubuntu --to lxd:0
The IP addresses of 0/lxd/N will be (likely) 10.0.x.x addresses, not within the tenant's network range, and masquerading as the IP address of the hosting instance.
The hosting instance, and any other containers on the hosting instance, can successfully reach 0/lxd/N addresses via TCP/ICMP, but no other hosts can reach the container addresses.
This is essentially identical to the behavior seen in the manual provider, reference: https://bugs.launchpad.net/bugs/1614364.
For clarity, this is not related to the use of nova-lxd or the lxd charm. Advance apologies for the initial lack of accompanying evidence, and/or the potentially duplicate bug. On my next iteration, I'll gather logs, interface info, status outputs and attach here. In the mean time, please see the ultra-simple reproducer.
This needs to be re-confirmed as affecting 1.25.6 and 2.0 current beta/rc, but I do believe it affects both.
Confirmed with user on IRC today that this is affecting them on Juju 2.0-beta18.