lxd fails to run on linux-kvm

@Steve, please try this test kernel, which has CONFIG_BRIDGE enabled:
http://kernel.ubuntu.com/~kamal/lp1723527/

On Fri, Oct 13, 2017 at 10:48:08PM -0000, Kamal Mostafa wrote:
> @Steve, please try this test kernel, which has CONFIG_BRIDGE enabled:
> http://kernel.ubuntu.com/~kamal/lp1723527/

This seems to get farther, then fails with iptables issues.

# /usr/lib/lxd/lxd-bridge.start
Bad argument `'
Try `iptables -h' or 'iptables --help' for more information.
Failed to setup lxd-bridge.
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.4.0-1009-kvm
iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[...]

It appears we have no netfilter configuration in linux-kvm.

@Steve, a new test kernel here, with lots of netfilter and iptables goodness:

http://kernel.ubuntu.com/~kamal/lp1723527.1/

On Mon, Oct 16, 2017 at 06:53:32PM -0000, Kamal Mostafa wrote:
> @Steve, a new test kernel here, with lots of netfilter and iptables
> goodness:

> http://kernel.ubuntu.com/~kamal/lp1723527.1/

Thanks, with this kernel, the lxd bridge unit starts correctly in response
to 'lxc list'.

systemctl still shows the system as degraded, because
/lib/modules-load.d/open-iscsi.conf lists some modules for loading that are
unavailable. It may be that we should resolve that by dropping open-iscsi
from the minimized image, rather than by adding these modules; I'll dig into
this and file a separate bug if necessary.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux-kvm - 4.4.0-1010.15

---------------
linux-kvm (4.4.0-1010.15) xenial; urgency=low

  * linux-kvm: 4.4.0-1010.15 -proposed tracker (LP: #1729287)

  * linux-kvm needs CONFIG_USER_NS (LP: #1729023)
    - kvm: [config] enable USER_NS

  * no network after boot (LP: #1724359)
    - kvm: [config] enable DMI, DMIID

  * lack of random bits on linux-kvm (LP: #1729021)
    - kvm: [config] enable HW_RANDOM

  * lxd fails to run on linux-kvm (LP: #1723527)
    - kvm: [config] enable BRIDGE, NETFILTER, IPTABLES

  [ Ubuntu: 4.4.0-100.123 ]

  * linux: 4.4.0-100.123 -proposed tracker (LP: #1729273)
  * Xenial update to 4.4.95 stable release (LP: #1729107)
    - USB: devio: Revert "USB: devio: Don't corrupt user memory"
    - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
    - USB: serial: metro-usb: add MS7820 device id
    - usb: cdc_acm: Add quirk for Elatec TWN3
    - usb: quirks: add quirk for WORLDE MINI MIDI keyboard
    - usb: hub: Allow reset retry for USB2 devices on connect bounce
    - ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
    - can: gs_usb: fix busy loop if no more TX context is available
    - usb: musb: sunxi: Explicitly release USB PHY on exit
    - usb: musb: Check for host-mode using is_host_active() on reset interrupt
    - can: esd_usb2: Fix can_dlc value for received RTR, frames
    - drm/nouveau/bsp/g92: disable by default
    - drm/nouveau/mmu: flush tlbs before deleting page tables
    - ALSA: seq: Enable 'use' locking in all configurations
    - ALSA: hda: Remove superfluous '-' added by printk conversion
    - i2c: ismt: Separate I2C block read from SMBus block read
    - brcmsmac: make some local variables 'static const' to reduce stack size
    - bus: mbus: fix window size calculation for 4GB windows
    - clockevents/drivers/cs5535: Improve resilience to spurious interrupts
    - rtlwifi: rtl8821ae: Fix connection lost problem
    - KEYS: encrypted: fix dereference of NULL user_key_payload
    - lib/digsig: fix dereference of NULL user_key_payload
    - KEYS: don't let add_key() update an uninstantiated key
    - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
    - parisc: Avoid trashing sr2 and sr3 in LWS code
    - parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
    - sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
    - f2fs crypto: replace some BUG_ON()'s with error checks
    - f2fs crypto: add missing locking for keyring_key access
    - fscrypt: fix dereference of NULL user_key_payload
    - KEYS: Fix race between updating and finding a negative key
    - fscrypto: require write access to mount to set encryption policy
    - FS-Cache: fix dereference of NULL user_key_payload
    - Linux 4.4.95
  * Xenial update to 4.4.94 stable release (LP: #1729105)
    - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
    - drm/dp/mst: save vcpi with payloads
    - MIPS: Fix minimum alignment requirement of IRQ stack
    - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
    - bpf/verifier: reject BPF_ALU64|BPF_END
    - udpv6: F...