Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I've never run openstack on suse, but my guess is that are are running into an issue that is similar to something I have seen on RHEL.

The current open vswitch vif-plugging mechanism creates a tap device for each VM NIC, then has libvirt use that tap using an <interface type="ethernet" device="tapX">

This works fine on Ubuntu, but some distros have things locked down a bit more, which seems to prevent libvirt from using these tap devices.

I've seen some success working around this issue on RHEL by doing some combination of the following changes to "/etc/libvirt/qemu.conf" and then restarting libvirt:

Uncomment the line:

cgroup_controllers = [ "cpu", "devices", "memory" ]

Uncomment the following lines and add the reference to "/dev/net/tun": cgroup_device_acl = [ "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kqemu", "/dev/rtc", "/dev/hpet", "/dev/net/tun" ]

uncomment and set clear_emulator_capabilities=0

Also change the user to run as root user = "root" group = "root"

That said, if you're thinking about using this in production, you will have to put some time into exploring whether these changes are something you are comfortable with, as I believe the implication is that a malicious user that finds a way to break out of the KVM isolation would have root on your box, rather than just the permissions of the libvirt user.

It may also be the case that some of these problems go away if we instead set the permissions on the tap device to correspond to the libvirt user after creating it... I'm not really sure.

If you have any luck exploring this or have suggestions on how we can change the vif-plugging to work better on SUSE, let me know.