cgroup device acl in qemu.conf edit for gre

... or we need to stop using the 'ethernet' driver in the XML files, which can be done with a suitable choice of VIF plugging driver.

qemu.conf file has been fixed:
https://github.com/CiscoSystems/puppet-quantum/commit/decc7ebf79dc655723db45fda2221850f0d62f2d

I dont know what is needed for the libvirtd.conf!
Daneyon, can you clarify?

Your fix should address the issue in the short term. In the long-term, the bug appeared because we are using the incorrect default Nova vif plugging in nova.conf:

Proposed Default:
 libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybirdOVSBridgeDriver

Current Defualt:
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtOpenVswitchDriver

The proposed default suports Nova security filtering, which most customers will want. It's beneficial to create some logic that if the LibvirtHybirdOVSBridgeDriver is selected, then the qemu.conf file gets edited to include the GRE tunnel device and libvirt is restarted.

For more detail, this is the core.pp setting that is part of the problem:

$libvirt_vif_driver = 'nova.virt.libvirt.vif.LibvirtOpenVswitchDriver',

We should be using:

$libvirt_vif_driver='nova.virt.libvirt.vif.LibvirtHybirdOVSBridgeDriver',

LibvirtHybirdOVSBridgeDriver supports Nova security groups.

You may want to consider moving your qemu.conf code to either openstack::compute or nova::network. This way we can implement logic that states, if LibvirtOpenVswitchDriver is select, then modify qemu.conf and restart service.

Hybrid plugging driver is incompatible with the noopfirewall driver so it's not the only change we would need.

  if $enabled {
    $service_ensure = "running"
  } else {
    $service_ensure = "stopped"
    file { "/etc/libvirt/qemu.conf":
       ensure => present,
       notify => Exec[ '/etc/init.d/libvirt-bin restart'],
       source => 'puppet:///modules/quantum/qemu.conf',
     }
     exec { '/etc/init.d/libvirt-bin restart':
        refreshonly => true,
        }
 }

... think this might be an issue ;)

I suggest the following, rather than using an 'exec' command (exec is baaad, mm'kay?'). It uses the service libvirt that nova creates.

  if $enabled {
    $service_ensure = "running"
  } else {
    $service_ensure = "stopped"
  }

  # If you're using ethernet KVM connections then we need to change the qemu default settings
  # They're recommended against, hence not being turned on in qemu by default, but they're
  # needed by some VIF plugging code.
  file { "/etc/libvirt/qemu.conf":
     ensure => present,
     notify => Service['libvirt'], # from nova::compute - beware the cross-dependency
     source => 'puppet:///modules/quantum/qemu.conf',
  }