Add possibility to manage qemu security_driver
Related-Prod: PROD-35639
Change-Id: I87d8c44efddd95e19f7d10baa9d198caa77fbc07
diff --git a/README.rst b/README.rst
index 9acf16f..22f1189 100644
--- a/README.rst
+++ b/README.rst
@@ -1389,6 +1389,15 @@
database:
use_db_reconnect: true
+Set qemu security_driver
+========
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ security_driver: apparmor
+
Upgrades
========
diff --git a/nova/files/pike/qemu.conf.Debian b/nova/files/pike/qemu.conf.Debian
index cc91d44..a4d08b8 100644
--- a/nova/files/pike/qemu.conf.Debian
+++ b/nova/files/pike/qemu.conf.Debian
@@ -353,7 +353,13 @@
#hugetlbfs_mount = ["/run/hugepages/kvm", "/mnt/hugepages_1GB"]
{%- if compute.hugepages is defined %}
hugetlbfs_mount = [{%- for mount in compute.hugepages.mount_points %}"{{ mount.path }}"{% if not loop.last %}, {% endif %}{%- endfor %}]
-security_driver="none"
+{%- if compute.security_driver is defined %}
+security_driver = "{{ compute.security_driver }}"
+{%- else %}
+security_driver = "none"
+{%- endif %}
+{%- elif compute.security_driver is defined %}
+security_driver = "{{ compute.security_driver }}"
{%- endif %}
# Path to the setuid helper for creating tap devices. This executable
diff --git a/nova/files/queens/qemu.conf.Debian b/nova/files/queens/qemu.conf.Debian
index 403490f..6ff26a3 100644
--- a/nova/files/queens/qemu.conf.Debian
+++ b/nova/files/queens/qemu.conf.Debian
@@ -357,7 +357,13 @@
#hugetlbfs_mount = ["/run/hugepages/kvm", "/mnt/hugepages_1GB"]
{%- if compute.hugepages is defined %}
hugetlbfs_mount = [{%- for mount in compute.hugepages.mount_points %}"{{ mount.path }}"{% if not loop.last %}, {% endif %}{%- endfor %}]
-security_driver="none"
+{%- if compute.security_driver is defined %}
+security_driver = "{{ compute.security_driver }}"
+{%- else %}
+security_driver = "none"
+{%- endif %}
+{%- elif compute.security_driver is defined %}
+security_driver = "{{ compute.security_driver }}"
{%- endif %}
# Path to the setuid helper for creating tap devices. This executable