diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml
index 85e66a456edb5e838d6d31b750a017166faf05cc..d67d5473a5de7f60cabf554301b2c3e9c45075f5 100644
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -413,6 +413,11 @@ libvirt_tls_manage_certs: true
 # ability for people to override the hostname to use.
 migration_hostname: "{{ ansible_nodename }}"
 
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# We can't get the id too effectively from the images so hardcoding here.
+# It does not change that often (in fact, most likely never ever).
+qemu_user_gid: 42427
+
 ####################
 # Kolla
 ####################
diff --git a/ansible/roles/nova-cell/tasks/config-host.yml b/ansible/roles/nova-cell/tasks/config-host.yml
index e6dcbb2eb99e200f9c49cf11ac27510f27332559..43ccab9da65963ec28df19999f91c7b3f40ac880 100644
--- a/ansible/roles/nova-cell/tasks/config-host.yml
+++ b/ansible/roles/nova-cell/tasks/config-host.yml
@@ -22,3 +22,30 @@
   when:
     - set_sysctl | bool
     - inventory_hostname in groups[nova_cell_compute_group]
+
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# This part can actually run on any distro and lets us drop the hardcoded
+# chown and chmod from the nova-libvirt image extend_start and make the process
+# more robust.
+- name: Install udev kolla kvm rules
+  become: true
+  template:
+    src: "99-kolla-kvm.rules.j2"
+    dest: "/etc/udev/rules.d/99-kolla-kvm.rules"
+    mode: "0644"
+  when:
+    - nova_compute_virt_type == 'kvm'
+    - inventory_hostname in groups[nova_cell_compute_group]
+
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# This part only really makes sense on Ubuntu and would end up being confusing
+# on others. This service changes /dev/kvm permissions.
+- name: Mask qemu-kvm service
+  become: true
+  systemd:
+    name: qemu-kvm.service
+    masked: true
+  when:
+    - nova_compute_virt_type == 'kvm'
+    - ansible_distribution == 'Ubuntu'
+    - inventory_hostname in groups[nova_cell_compute_group]
diff --git a/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2 b/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6b528d10f374b16c3b5c290b0f408dee5bdc251f
--- /dev/null
+++ b/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2
@@ -0,0 +1,4 @@
+# Part of Kolla Ansible OpenStack Nova deployment.
+
+# This ensures the /dev/kvm has proper permissions.
+KERNEL=="kvm", GROUP="{{ qemu_user_gid }}", MODE="0660"
diff --git a/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml b/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..32397535ca121ce3f541e3027f6696d0dbd7bf97
--- /dev/null
+++ b/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes handling of `/dev/kvm` permissions to be more robust against
+    host-level actions.
+    `LP#1681461 <https://launchpad.net/bugs/1681461>`__