Bump libvirtd memlock ulimit

This is required for libvirtd with cgroupsv2 (Debian Bullseye and
soon others).
Otherwise, device attachments simply fail.
The warning message suggests filtering will be disabled but it
actually just fails the action entirely.

Change-Id: Id1fbd49a31a6e6e51b667f646278b93897c05b21
Closes-Bug: #1941940

ansible/roles/nova-cell/defaults/main.yml

@@ -239,7 +239,17 @@ nova_compute_ironic_image: "{{ docker_registry ~ '/' if docker_registry else ''
 nova_compute_ironic_tag: "{{ nova_tag }}"
 nova_compute_ironic_image_full: "{{ nova_compute_ironic_image }}:{{ nova_compute_ironic_tag }}"
 
-nova_libvirt_dimensions: "{{ default_container_dimensions }}"
+nova_libvirt_default_dimensions:
+  ulimits:
+    # NOTE(yoctozepto): This limit bump is required for cgroupsv2 which use eBPF
+    # to filter devices. See also LP#1941940. The new value is said to support
+    # up to 4096 guests (see libvirtd systemd service file from Debian Bullseye
+    # libvirt-daemon-system package for details).
+    memlock:
+      soft: 67108864  # 64 MiB
+      hard: 67108864  # 64 MiB
+
+nova_libvirt_dimensions: "{{ default_container_dimensions | combine(nova_libvirt_default_dimensions, recursive=True) }}"
 nova_ssh_dimensions: "{{ default_container_dimensions }}"
 nova_novncproxy_dimensions: "{{ default_container_dimensions }}"
 nova_spicehtml5proxy_dimensions: "{{ default_container_dimensions }}"

releasenotes/notes/bug-1941940-c63265ea6ea2f594.yaml

@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Fixes inability to attach devices (e.g., volumes via iSCSI/FC)
+    to instances on Debian Bullseye.
+    `LP#1941940 <https://launchpad.net/bugs/1941940>`__
+upgrade:
+  - |
+    To fix LP#1941940, ``nova_libvirt_dimensions`` now by default combines with
+    ``nova_libvirt_default_dimensions``. Please consider this when customising
+    that variable.